Myricom and Bro

Moving from the Security Onion list.

I've thrown about 1.5Gbit of traffic on the host, give it or take 500Mbit.

12 workers. Bro from the svn (oh well).

Hm, are you using our git repository? Or are you using some old version from our subversion repository that still exists (but hasn't been touched for a long time)?

Yep, fresh git.

Myricom support told me to:

"And also make sure that you are using the latest Bro 2.0 and that the Sniffer environment flags are set in /usr/local/bro/lib/broctl/BroControl/control.py:

env += " SNF_NUM_RINGS=12 SNF_FLAGS=0x1"
"

What?!? Myricom support is telling people that! That's not the right way to do it (with 2.1 and we don't really support 2.0 anymore).

[worker1]
type=worker
host=1.2.3.4
interface=eth0
lb_method=myricom
lb_procs=12

That's how you should be doing it in node.cfg. No changes in python are required.

How about recompilling Bro against the Myricom pcap lib?

Would you mind putting me in touch with whomever you contacted at Myricom support?

Done.

I've also recompilled Bro against the vendor provided pcap lib. So far so good.

Could you paste the exact configure flags you used?
  ./configure --with-pcap=/home/mpurzynski/myri_snf-2.0.11.50370_25b3f53d7-2930.x86_64 --prefix=/opt/bro

fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }])

It looks like you may have something out of date, but I'm not really sure what's causing this error.

So, I've kind of worked around it by commenting out a few things (now how do you like this hack? ;). Let's get this fixed and the Myricom thingy working.