Good afternoon. I am still relatively new to Bro and working on building a cluster here at MUSC. In the process of setting up and configuring the IDS I have run into some issues and would like to ask the list a few questions.
-
Is Linux even a reliable platform to think about using for Bro? Based on my experience the logs seem to be missing traffic. I have been making connections in and out of our network that pass through our network TAP and Bro does not always log them. Upon further investigation it appears that packets are being dropped (based on broctl netstats worker-1). I attempted to use pf_ring and compile Bro with libpcap-1.0.0-ring. This seemed to help some but not a lot.
-
In regards to question #1, am I interpreting the output of broctl netstats correctly? Specifically if my dropped number is higher than my recvd number then that means Bro is processing < 50% of my network traffic?
-
In the “diag” output I see that the workers are reporting “pcap bufsize = 8192”. Is this tunable on Linux? Are there any other suggestions for Linux tuning to decrease the amount of dropped packets?
-
Is anyone else running a reliable, stable Bro cluster on Linux?
We are using RedHat Enterprise Linux 5.4, 64-bit.
Thanks,
Scott Powell
Unix Systems Engineer / Information Security Analyst
Office of the CIO - Information Systems (OCIO-IS)
Medical University of South Carolina
powellsm@musc.edu
(843) 792-6651