Bro clustered limit load

David1 · June 13, 2016, 12:48pm

Hi,

I'd like to know if there is a way to select which script a worker is loading.
The goal is to limit the packets that needs to be analyzed.
On a dedicated interface I've mirrored traffic going to one of our server which has, along other protocols, tones of dns and nfs traffic, I'm only interested in dns traffic.
Nfs can be bandwidth consuming (up to 600mbps with capstats) so I'd like Bro to only analyses dns packets.
Can we tell Bro to only load dns inspector for a given interface/worker ?

I've also think of firewalling everything except udp/53 but i would have to give network interface an ip address....

Thanks,

David

Hosom_Stephen_M · June 13, 2016, 2:08pm

David,

You could apply a BPF in Bro.

https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html

The packets will still hit the interface, but Bro will only monitor the packets based on the BPF.

Azoff_Justin_S · June 13, 2016, 2:24pm

broctl starts each worker with an option that tells each worker to use its own name as a script prefix. If you look at the running bro command you should see something like

/usr/local/bro/bin/bro -i p1p1 -U .status -p broctl -p broctl-live -p local -p worker-1 local.bro broctl base/frameworks/cluster local-worker.bro broctl/auto

where 'worker-1' is the name of the worker.

This means that if you create a script called worker-1.local.bro, it will be loaded for that worker only

David1 · June 13, 2016, 2:57pm

Thanks Justin, looks like exactly what I want.

David

Topic		Replies	Views
intel framework, disabling certain feeds to certain workers Zeek	4	88	May 6, 2022
troubleshooting bro memory usage? Zeek	19	369	May 6, 2022
Worker configuration in Bro cluster Zeek	2	65	May 6, 2022
Identifying interface when running with multiple interfaces Zeek	3	61	May 6, 2022
Trying to use different bpf filters on every worker Zeek	3	73	May 6, 2022

Bro clustered limit load

Related Topics