Is it possible to easily configure Bro in cluster mode to connect on alternate ports other than 22? The reason I ask is that I’m running my bro processes inside containers on a host that already has sshd on port 22 (I’m running a sidecar sshd inside the container on port 2022). I can probably find it if I dig around, but if someone knows how to do this, let me know.
You should be able to map the port Bro is listening on inside the
container to another port on the host. For Docker, the option would be -p
<host-port>:<container-port>. See
https://docs.docker.com/config/containers/container-networking/ for more
details.
Mark
omg, I totally blanked on this. thanks for reminding me of a container 101 feature.
silly me.
Thanks!
So I realized a couple of things when I got into work today:
- I can’t remap the port that my sshd is listening on because I’m using host networking - Docker discards the port mapping in host networking mode.
- My issue isn’t the port that bro is listening on but rather the port the manager uses to ssh into the other nodes to run the bro commands to run the workers - you specify the hostnames in the node.cfg, but there doesn’t appear to be a way to specify that I need it to ssh on port 2022 instead of the normal 22. This is only a problem because the hosts I’m running this on are already running an sshd that listens on 22. I might be able to get the port changed for that, but it seems easier to just get bro to connect on a different port. I can’t use the built-in sshd because I want to run the workers, logger, etc in containers.
Obviously I have the source for bro, so I can go and modify it myself, but before I go down that rabbit hole, I want to make sure there isn’t a way to do it already.
echo "Port 2022" > ~/.ssh/config
Though I must say, if you are trying to get bro running on openshift or k8s by running broctl, you are doing it wrong. You don't
need to run sshd so broctl can run bro in containers, you just need to run bro in the containers.
I understand, but I’m trying to run in cluster mode, which means there is a manager that is talking to the nodes over ssh. I could run it in non-cluster mode and just have the bro instances analyzing traffic going through the local interface, but we thought going the cluster route would be better.
Also, I understand how to make sshd use a different port. What I’m asking is how to make the bro manager connect to the nodes over that different port.
I understand, but I'm trying to run in cluster mode, which means there is a manager that is talking to the nodes over ssh. I could run it in non-cluster mode and just have the bro instances analyzing traffic going through the local interface, but we thought going the cluster route would be better.
The manager does not talk to the nodes over ssh. Broctl uses ssh to start the bro processes on the worker nodes. that is it. If you just start the processes yourself you don't need broctl or ssh.
Also, I understand how to make sshd use a different port. What I'm asking is how to make the bro manager connect to the nodes over that different port.
~/.ssh/config is not the sshd config.
Oh ok. Guess I hadn’t gotten that far. Ok. I’m all good then. Sorry, I misinterpreted your response on the ssh part. Guess that was a lot simpler than I thought. Sorry for the confusion. 