Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
I was wondering if anyone can tell me why the sha256 hash functionality
isn't turned on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro
to process pcap files offline and have never used it on a live network.
Does it cause performance issues?
Thanks,
Shawn
Bro Community,
A few people have been asking when the BroCon slides and videos will be posted. We need to do some post-production and other work before this is done. A rough estimate, barring unforeseen interruptions is one month. When they are ready we’ll communicate it on our mailing list and social media outlets.
Thanks for your patience.
------
Jeannette Dopheide
Training and Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
Hi everyone
Today successfully installed Bro as a standalone worker on an ubuntu
system, it has 16cores, 8GB ram (can be expanded) and about 2TB of disk.
Its receiving traffic from a passive fibre network interface.
The interface configuration is as follows
br0 - bridged interface
p1p1 - RX of fibre
p1p2 - TX of fibre
br1 - Bridged interface
p2p1 - RX of fibre
p2p2 - TX of fibre
So i have br0 configured and being monitored correctly. br0 is monitoring
one part of the network up towards public facing infrastructure and br1 is
monitoring more local stuff so its not NAT'd and closer to the hosts.
As it is one physical system with 2 interfaces what is the best way for my
to monitor both feeds and log it correctly. All of my logs are being fed
into a SIEM with JSON output.
Can i have separate roles configured on the one physical system and each
interface being defined as a separate worker?
So PF_RING as the front end, then a manager and proxy but each worker
defined within the Cluster worker config as the same host but different
interfaces.
Or should i suggest getting additional hardware and splitting the
interfaces? it seems a little silly that one worker can only monitor one
interface i thought. thats why i thought id ask here first.
Thanks,
John
I know I've brought this up before, but I was going to put this in on
the github but that feature isn't enabled.
I know a lot of people just use broctl and be done with it, but I just
use it via command line most of the time. It would REALLY be nice have
a command line switch to not overwrite log files and just append to
existing files. Thank you.
James
Hi all,
I am reading through Bro's documentation for a variety of purposes, I am
new to it and really want to understand the internals, the scripting
language, scaling up for clustering for larger link monitoring etc.
I find the websites layout not that good for reading as I am reading a
book about any other open source project I read about. Other open source
security projects I read about have PDFs versions of their documentation so
people can print it out etc.
Is the same thing available for Bro? Have copied all of the doco into a
word document but cancelled that as formatting was ugly. The only mention
of Bro in a book I have found is a couple pages long. I'd like the entire
documentation available for whatever latest release but as PDF.
Anyone else know where to find it? Or if it's even available?
Thanks,
John
Does anyone have experience using Bro to run its analysis on PCAPs being
written to a directory in an automated fashion?
Should a cron just be run at a lag using bro -r and script options?
Thank you,
-Art
Hi,
Does bro handle the case where I sniffing from two interfaces I1 and I2,
and I1 sees the client side traffic and I2 see the server side traffic? If
this is supported, does the scenario of more than two interfaces also work?
Thanks.
Dk.
Hi all,
One of my installations runs on an old linux laptop monitoring wifi traffic
exclusively in standalone.
I'm wondering what the convention is for node.cfg to add monitoring to the
wired interface as well.
The use case is, the system is taken off the wifi and restarted at a second
location for monitoring a wired connection.
Is the following node.cfg valid?
[bro]
type=standalone
host=localhost
interface=wlan0
interface=eth0
Or is a better configuration to use 2 workers, one for each interface?
Thanks in advance,
Chris
I have two workers that are constantly pegged at dropping 50% of the
packets I am processing. It is always the same two workers. This is on bro
2.4.1, so I don't have misc-stats (yet). Is there a way I can troubleshoot
why I have problems with these two workers?