Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
We recently purchased some Intel XXV710 NICs for our Zeek systems. However,
symmetric hashing does not seem to work on them, at least not completely.
There was some discussion here regarding adding some functionality to the
driver to make it work, however this never landed:
https://sourceforge.net/p/e1000/mailman/message/35199068/
This post discusses how the X710 controller must be configured differently
from the 82599 10G controller (used by the X520 cards):
https://haryachyy.wordpress.com/2019/01/18/learning-dpdk-symmetric-rss/
The odd part is that following the SEPTun-MarkII guide[1] makes it *mostly*
work, but we're consistently finding that ~1-2% of the traffic is not being
symmetrically hashed. We're testing with can-i-use-afpacket-fanout[2] and
Zeek 3.2.
The most damning evidence is an Intel rep telling[3] a customer:
> Unfortunately, we have been informed that the only support to setup
symmetric RSS is via DPDK.
Searching the mailing list archives, I found a couple of posts where people
were encouraged to use X710-based cards, so I'm left wondering: Are there
people using these? Are they also seeing this 1-2% asymmetry? Or am I
missing a configuration tweak?
Thanks,
--Vlad
[1] - <
https://github.com/pevma/SEPTun-Mark-II/blob/master/SEPTun-Mark-II.rst>
[2] - <https://github.com/JustinAzoff/can-i-use-afpacket-fanout>
[3] - <
https://community.intel.com/t5/Ethernet-Products/X-L-710-supports-symmetric…
>
I am new to Zeek and will be setting up a Zeek system which will use a 10G NIC. I am not sure what NIC/driver configuration to use, and have some questions about PF_RING and AF_Packet. At …
https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring
… it looks like PF_RING, also known as "Vanilla PF_RING" …
https://www.ntop.org/guides/pf_ring/vanilla.html#vanilla-pf-ring
… makes it possible to assign worker processes to CPU cores by using "packet clustering" …
https://www.ntop.org/guides/pf_ring/vanilla.html#packet-clustering
Is this essentially implementing symmetric Receive Side Scaling?
If so, can Vanilla PF_RING take advantage of a NIC which does symmetric hashing in hardware?
The Zeek docs reference PF_RING+DNA …
https://docs.zeek.org/en/current/cluster-setup.html#using-pf-ring
… although from looking at the ntop site, DNA/Libzero was replaced some time ago with PF_RING ZC (Zero Copy) …
https://www.ntop.org/guides/pf_ring/zc.html
Does Zeek support PF_RING ZC?
If so, in Zeek's node.cfg, how does one know what options to use for …
interface=
lb_method=
It looks like the AF_Packet plugin …
https://github.com/J-Gras/zeek-af_packet-plugin
… does what Vanilla PF_RING does, in that it allows Zeek to have multiple worker processes which use different CPU cores. Can AF_Packet take advantage of a NIC which does symmetric hashing in hardware?
It looks like AF_Packet does not provide a "Zero Copy" type of functionality, found in PF_RING ZC. Is that correct?
I know this is a lot of questions. Any guidance is appreciated.
-- Steve.
We run 2 redundant Zeek clusters, which provides some safeguards against
individual host or process failure, and virtually eliminates downtime due
to periodic maintenance.
However, ingesting terabytes of logs daily into Splunk eats into our Splunk
license. Has anyone tried deduplicating redundant Zeek logs before sending
them to Splunk (or Elastic Stack, Humio, Graylog, etc.)?
My other thought is to simply not send one redundant set to Splunk unless
an outage has occurred, but I thought I'd check on deduplication.
--
Chris Herdt
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu
he, him, his
Hi,
Transitioning from the previous experience of developing analyzer in
Binpac, I find that Spicy provides some additional flexibility,
independence, and portability, making zeek-side of the codes cleaner. I
have already tried to develop an application layer analyzer for a custom
protocol based on TCP that I used for the class that I am teaching right
now.
From Spicy documentation, I see that we can also use Spicy to develop
analyzers on top of "RawLayer" as well as over TCP/UDP. *My question is
that is it possible to use Spicy to develop analyzers for protocols in
middle layers? For example, for protocol running directly on top of
Ethernet or protocols running directly on top of IP layer?*
Thank you and best regards,
Hui Lin
Hello,
Is there a page that tracks Zeek security advisories, or at least a page tracking known Zeek vulnerabilities and affected versions?
Thank you
AN
——
From the email inline:
Traceback (most recent call last):
File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 14, in
swig_import_helper
return importlib.import_module(mname)
File "/usr/lib/python3.6/importlib/__init__.py", line 126, in
import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 994, in _gcd_import
File "<frozen importlib._bootstrap>", line 971, in _find_and_load
File "<frozen importlib._bootstrap>", line 955, in
_find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 658, in _load_unlocked
File "<frozen importlib._bootstrap>", line 571, in module_from_spec
File "<frozen importlib._bootstrap_external>", line 922, in
create_module
File "<frozen importlib._bootstrap>", line 219, in
_call_with_frames_removed
ImportError: dynamic module does not define module export function
(PyInit__SubnetTree)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/zeek/bin/trace-summary", line 30, in <module>
import SubnetTree
File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 17, in <module>
_SubnetTree = swig_import_helper()
File "/opt/zeek/lib/zeek/python/SubnetTree.py", line 16, in
swig_import_helper
return importlib.import_module('_SubnetTree')
File "/usr/lib/python3.6/importlib/__init__.py", line 126, in
import_module
return _bootstrap._gcd_import(name[level:], package, level)
ImportError: dynamic module does not define module export function
(PyInit__SubnetTree)
Command exited with non-zero status 1
0:00.27 real, 0.09 user, 0.00 sys, 0K total memory
--
[Automatically generated.]
James
Zeek 4.0.0 is now available:
https://zeek.org/get-zeek/
This is a Long-Term Support (LTS) release, receiving critical
bug-fixes and security patches for the next year. The previous LTS
branch of Zeek 3.0.x may still receive any important security patches
for the next two months, but won't be maintained afterward.
General info about this release can be found in the release notes as
well as a previous blog post from the release-candidate phase:
https://github.com/zeek/zeek/releases/tag/v4.0.0https://zeek.org/2020/12/15/zeek-4-0-release-candidate/