Good afternoon. I am still relatively new to Bro and working on building a
cluster here at MUSC. In the process of setting up and configuring the IDS I
have run into some issues and would like to ask the list a few questions.1) Is Linux even a reliable platform to think about using for Bro? Based
on my experience the logs seem to be missing traffic. I have been making
connections in and out of our network that pass through our network TAP and
Bro does not always log them. Upon further investigation it appears that
packets are being dropped (based on broctl netstats worker-1). I attempted to
use pf_ring and compile Bro with libpcap-1.0.0-ring. This seemed to help some
but not a lot.
Try the following in /etc/sysctl.conf
net.core.rmem_max = 33554432
net.core.netdev_max_backlog = 10000
net.core.rmem_default = 33554432
What output do you get from capstats?
How much CPU is your bro process using? As long as it isn't maxing out a cpu
core, it shouldn't be dropping packets. If it is maxing out the cpu, then the
problem isn't with capturing, it is with doing too much analysis. If you have
an ethernet card that uses the igb driver you can try the pf_ring tn_api stuff:
http://www.ntop.org/TNAPI.html
you can use it to run a single node bro cluster with each worker capturing from
eth0@0,eth0@1,eth0@2,eth0@3
2) In regards to question #1, am I interpreting the output of broctl
netstats correctly? Specifically if my dropped number is higher than my recvd
number then that means Bro is processing < 50% of my network traffic?
What version of bro are you running? in 1.4.x the pcap stats for dropped
packets were recorded incorrectly on linux. I see some ammount of dropped
packets, but usually less than 1 percent.
3) In the "diag" output I see that the workers are reporting "pcap
bufsize = 8192". Is this tunable on Linux? Are there any other suggestions
for Linux tuning to decrease the amount of dropped packets?4) Is anyone else running a reliable, stable Bro cluster on Linux?
I've been running bro on linux for years now...
We are using RedHat Enterprise Linux 5.4, 64-bit.
Debian 64bit 