[Zeek] "bro-cluster-in-a-box-setup" to "zeek-cluster-in-a-box-setup"?
Justin Azoff
justin at corelight.com
Wed Feb 5 14:23:50 PST 2020
OOOH! You can bond two interfaces together and run af_packet on the bond0
interface? that works?!?
On Wed, Feb 5, 2020 at 5:13 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:
> There's a law that if you say pf_ring and af_packet 3 times, Michal shows
> up.
>
> I don't see many (any?) reasons for using pf_ring, TBH, if you have a
> modern kernel or a decent network card (Mellanox, Intel, etc). And I still
> owe the community the article to show how to use the af_packet correctly :/
>
> The case where one has inputs from multiple taps, to multiple network
> ports will be handled the same way by af_packet, if interfaces are bonded
> or bridged and by pf_ring. None of them buffers data and processes them at
> L4 and deals with out of order, etc.
>
> On Wed, Feb 5, 2020 at 2:04 PM Scott Wang <scwang+bro at sfu.ca> wrote:
>
>> At the Canarie workshop, Steve Smoot from Corelight suggested using
>> pf_ring still. Any thoughts/comments on switching to af_packet? Advantages
>> vs Disadvantages?
>>
>> Regards,
>> Scott
>>
>> On Feb 05, 2020, at 12:48, Justin Azoff <justin at corelight.com> wrote:
>>
>> Hi!
>>
>> It shouldn't be that hard to update to 3.x..
>>
>> - bro-pkg should be swapped out with the renamed zkg
>> - the python2 references can likely be changed to 3
>> - caf no longer needs to be installed separately
>> - geoip and databases needs to be swapped out with maxminddb versions,
>> might need a license
>> - probably worth it to switch to af_packet from pf_ring.. pf_ring was
>> only used initially to easily support capturing directly from both
>> halves of a tap, which might not be a requirement anymore.
>>
>> My schedule is a bit crazy for the next week, but once I have some time
>> to work on it I should be able to get things updated pretty quickly..
>> There's really not much to it.
>>
>>
>>
>> On Wed, Feb 5, 2020 at 12:38 PM Paul Sibley <Paul.Sibley at canarie.ca>
>> wrote:
>>
>>> Hello Zeek Community,
>>>
>>>
>>>
>>> I am working on a project where Zeek has been deployed in two phases.
>>> During the first phase, some participants used “
>>> https://github.com/ncsa/bro-cluster-in-a-box-setup” script to assist
>>> in, and automate a lot of the installation process.
>>>
>>> Since then we have entered the phase in our project where more
>>> participants have been added, CentOS 8 is preferred, and we are using Zeek
>>> 3.0.1.
>>>
>>> I wonder if any consideration, or work has been done, in updating the
>>> bro-cluster-in-a-box script to work with the updated OS and Zeek version.
>>> Any information would be appreciated.
>>>
>>>
>>>
>>> Thanks in advance,
>>>
>>> Paul Sibley
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
>>
>>
>>
>> --
>> Justin
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
--
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200205/b8452779/attachment.html
More information about the Zeek
mailing list