Hi,
I'm in the process of upgrading from 1.4 to 1.5.1. I have a splitter
feeding 2 NICs running on Ubuntu 8.04, eth0 & eth1. With Bro 1.4 I could
specify interface="eth0 eth1" and set them up with no IP address.
This method does not seem to work w/ 1.5.1 so I started looking at ifenslave
and interface bonding. This might work but requires an IP address to be
assigned to the bonded interface (bond0 in this case).
Any suggestions? I can't find much in the way of applicable documentation.
I know that Ubuntu is not the development platform, but it fits into our
shop better than FreeBSD.
Thanks,
Mike
I'm in the process of upgrading from 1.4 to 1.5.1. I have a splitter
feeding 2 NICs running on Ubuntu 8.04, eth0 & eth1. With Bro 1.4 I could
specify interface="eth0 eth1" and set them up with no IP address.
I'm surprised to hear that doesn't work. I don't think anything changed with that area of the code.
Any suggestions? I can't find much in the way of applicable documentation.
I know that Ubuntu is not the development platform, but it fits into our
shop better than FreeBSD.
I don't know if it's the most efficient way or not, but I've have created bridges and added all of my interfaces into the bridge. It's supported by almost everything and the configuration is really simple.
.Seth
If you do this, you have to be aware that other pieces of functionality with BroControl will break or work in odd ways. If your traffic doesn't need to be recombined (you have complete sessions on each interface) it probably makes more sense to run your sensor as a single host cluster and have a cluster worker watch each interface.
.Seth
Thanks, I'll keep playing with it and look at the bridging solution.
Mike