Hi,
I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment.
I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored).
Is there anything I can check or clean up to try and force bro to completely “forget” it ever knew about this interface? Thanks.
Kind Regards,
Kevin Ross
Hi,
I configured an afpacket interface in addition to one I was already using and it monitored fine but I want to stop monitoring this link for now and just leave it to Suricata at the moment.
I have removed the configuration for it and redeployed, cleaned and everything else I can thing of and many config installs and when started while only the works configured on the original interface show in running jobs I am still getting traffic events from the other interface (I know this because of the IPs being monitored).
Ah, you needed to stop those extra workers before removing them from
the configuration. I thought we added something to warn people when
they did that, but that may only detect if you reduce lb_procs and not
remove an interface entirely.
Is there anything I can check or clean up to try and force bro to completely "forget" it ever knew about this interface? Thanks.
the easiest thing to do would be to do
broctl stop
broctl ps.bro
that should show any remaining orphaned bro processes. Kill those,
then start things back up and you should be good to go.
Ok it seems to be fine now. The ps.bro showed nothing but I added the interface back in and ran it again (it didn’t show those threads either before with status). Then I stopped bro and commented it out again and redeployed and seems ok now. Before when I changed I commented them out while bro was running and redeployed.
Thanks for your time,
Kevin