[Zeek] "bro-cluster-in-a-box-setup" to "zeek-cluster-in-a-box-setup"?

Wed Feb 5 14:38:45 PST 2020

Somewhat of a tangent, but did af_packet in CentOS/RHEL 7 kernels ever solve the distribution of packets across multiple bro/zeek processes when observing IPv6 traffic?

I observed an issue a while back where when watching traffic on an interface (bonded or not) with multiple bro/zeek processes, that all processes would see the IPv6 traffic, vice only one process.  IPv4 worked properly, but any network with IPv6 had some nasty logs because of duplication.

--
Mark Buchanan

> On Feb 5, 2020, at 16:26, Justin Azoff <justin at corelight.com> wrote:
> 
> 
> OOOH!  You can bond two interfaces together and run af_packet on the bond0 interface? that works?!?
> 
>> On Wed, Feb 5, 2020 at 5:13 PM Michał Purzyński <michalpurzynski1 at gmail.com> wrote:
>> There's a law that if you say pf_ring and af_packet 3 times, Michal shows up.
>> 
>> I don't see many (any?) reasons for using pf_ring, TBH, if you have a modern kernel or a decent network card (Mellanox, Intel, etc). And I still owe the community the article to show how to use the af_packet correctly :/
>> 
>> The case where one has inputs from multiple taps, to multiple network ports will be handled the same way by af_packet, if interfaces are bonded or bridged and by pf_ring. None of them buffers data and processes them at L4 and deals with out of order, etc.
>> 
>>> On Wed, Feb 5, 2020 at 2:04 PM Scott Wang <scwang+bro at sfu.ca> wrote:
>>> At the Canarie workshop, Steve Smoot from Corelight suggested using pf_ring still. Any thoughts/comments on switching to af_packet? Advantages vs Disadvantages?
>>> 
>>> Regards,
>>> Scott
>>> 
>>>> On Feb 05, 2020, at 12:48, Justin Azoff <justin at corelight.com> wrote:
>>>> 
>>>> Hi!
>>>> 
>>>> It shouldn't be that hard to update to 3.x.. 
>>>> 
>>>> - bro-pkg should be swapped out with the renamed zkg
>>>> - the python2 references can likely be changed to 3
>>>> - caf no longer needs to be installed separately
>>>> - geoip and databases needs to be swapped out with maxminddb versions, might need a license
>>>> - probably worth it to switch to af_packet from pf_ring.. pf_ring was only used initially to easily support capturing directly from both halves of a tap, which might not be a requirement anymore.
>>>> 
>>>> My schedule is a bit crazy for the next week, but once I have some time to work on it I should be able to get things updated pretty quickly.. There's really not much to it.
>>>> 
>>>> 
>>>> 
>>>>> On Wed, Feb 5, 2020 at 12:38 PM Paul Sibley <Paul.Sibley at canarie.ca> wrote:
>>>>> Hello Zeek Community,
>>>>> 
>>>>>  
>>>>> 
>>>>> I am working on a project where Zeek has been deployed in two phases.  During the first phase, some participants used “https://github.com/ncsa/bro-cluster-in-a-box-setup” script to assist in, and automate a lot of the installation process.
>>>>> 
>>>>> Since then we have entered the phase in our project where more participants have been added, CentOS 8 is preferred, and we are using Zeek 3.0.1.
>>>>> 
>>>>> I wonder if any consideration, or work has been done, in updating the bro-cluster-in-a-box script to work with the updated OS and Zeek version.  Any information would be appreciated.
>>>>> 
>>>>>  
>>>>> 
>>>>> Thanks in advance,
>>>>> 
>>>>> Paul Sibley
>>>>> 
>>>>> _______________________________________________
>>>>> Zeek mailing list
>>>>> zeek at zeek.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>> 
>>>> 
>>>> -- 
>>>> Justin
>>>> _______________________________________________
>>>> Zeek mailing list
>>>> zeek at zeek.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>> 
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> 
> 
> -- 
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20200205/722b8b51/attachment.html 