Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Are there any plans to use another communication platform besides IRC? To
the best of my knowledge the IRC channel does not record history, so any
new member is unaware of prior chats / discoveries.
Is there a desire in the community to move to something along the lines of
Discord or Slack? Granted Slack would come at a premium.
I’m trying to create my first protocol analyzer with BinPac for the
synchrophasor protocol (IEEE Std C37.118) – from what I can tell, nobody
has made an analyzer for it yet. I'm trying to define the message format in
synchrophasor-protocol.pac. However, stuff like the format of data packets
are based on a previously sent configuration packet. How do I write
synchrophasor-protocol.pac so I can parse them based on the previously sent
packet? Here’s some documentation on the protocol if you need it:
http://smartgridcenter.tamu.edu/resume/pdf/1/SynPhasor_std.pdf
Again, this is my first time trying to write a protocol analyzer with
BinPac, so sorry if this is obvious.
Thank you
All
Looking for some general information for hardware to support
1Gbps (Single Port) and 10Gps (Single Port)
How many cores/threads/processors @ ram?
I did see some info on Zeek under clusters that its about 250mb per
core/per worker, just wanted to see if that is still viable information.
Thanks
Req
All,
I'm trying to troubleshoot why my zeek workers keep regularly dying. The diag log is rather unhelpful, yielding nohup ${pin_command} $pin_cpu "$mybro" "$@"
Is there some additional troubleshooting methods I can employ to figure out why they're constantly dying?
Thanks,
- Gary
I had bro doctor working, but then we had an issue/accident in the datacenter and I had to rebuild the manager from scratch. I tried to follow my detailed notes from when I installed it the first time. Now bro doctor isn't working, and I'm trying to figure out why. Any suggestions?
$ sudo ./zeekctl doctor.bro
Warning: ZeekControl plugin uses legacy BroControl API. Use
'import ZeekControl.plugin' instead of 'import BroControl.plugin'
Warning: Plugin 'doctor' not activated because its init() method raised exception: 'plugin doctor lookup of unknown config option bro'
Error: unknown command 'doctor.bro'
ZeekControl Version 1.9-49
Thanks for your help,
-Brian
________________________________
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
Hi everyone,
I'm trying to run the following script :
https://github.com/hosom/file-extraction/blob/master/scripts/plugins/store-…
The issue is that the EXEC::run command is not working as expected.
I run bro on a pcap file, in debug.log I see that a thread was initiated
and finished with no issues, however the file is not moved..
Any ideas ?
Thank you
B
Hi,
I have a pcap containing only a TCP three way hand shake. When I tried this
pcap in "try zeek" online with a simple tcp_packet event handler, nothing
is print out and an non_ip_packet_in_ethernet warning is generated in the
wierd log. Any idea what is going on?
Best regards,
Hui Lin
--
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
Hi everyone,
I have a variable that has &optional &default attributes.
I want the &default attribute to have a value of an enum.
So if the enum is : type color: enum { Red, White, Blue, };
c: color &default=Red;
Does not work..
Any ideas on the correct syntax ?
Thank you
B
Hi there,
I am using zeek in a container with hosts network. My bro/zeek version is
following. Bold text are the commands that get executed in the container.
# docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek --version*
bro version 2.6-255
I ran zeek with detect-webapps bro script from policy. I browsed a couple
of phpadmin websites etc but *I could not get any logs specific to
detect-webapps.*
# docker run --cap-add=NET_RAW --net=host --rm blacktop/*zeek -i 'enp2s0'
protocols/http/detect-webapps*
listening on enp2s0
~~~~~
It runs forever and I got following log files :
conn.log dns.log packet_filter.log weird.log
dhcp.log files.log ssl.log x509.log
*Where to get detect-webapps log file?*
*What does detect-webapps do and where it logs its data?*
Any help will be much appreciated.
--
Regards,
Sachin Giri
