Hi
First a minor nit:
I am setting up a new sensor with argus, suricata and bro. I thought I had everything right and then broctl start would just hang with "starting manager…"
I eventually worked out that in reorganising directories after running out of disk I had managed to move the bro install files. Re running the broctl install fixed things. If it is straight forward for the script to check for the install files before trying to start the manager and give an informative error message that would be nice 
For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).
I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?
I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?
Russell ( confession — it has only taken 4 years for implementing bro to get to the top of my todo list 
)
Hi Russell!
For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).
Why's that?
I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?
In the 2.2 release that is coming soon there is a new config option for node.cfg where you can pin processes. It will make your worker configs look like this…
[worker-1]
type=worker
host=1.2.3.4
interface=eth2
lb_method=pf_ring
lb_procs=10
pin_cpus=2,3,4,5,6,7,8,9,10,11
I think that's a pretty straight forward configuration, but let me know if there isn't anything clear in it or if you have questions. You will only need to configure a single worker like that to load balance traffic on that host with the configured interface. broctl will create all of the worker processes it needs.
I have assumed that the SO version of bro will use pf_ring by default? or do I need to do something to get bro to use pf_ring?
I put it in the config above, you just need to make sure you have all of the pf_ring bits installed. I'm a little unsure how different what you're running is from securityonion so I'm not sure I can authoritatively answer your question.
.Seth
Hi Seth, nice to chat with you again! I did get there in the end 
Actually the biggest constraint was getting hardware capable of doing everything I wanted.
Hi Russell!
For the record I am running on a 16 core box running Ubuntu SPC and using the binary from SO (but not the SO config or scripts).
Why's that?
I am managing the sensors using puppet — all the config data, rule files, etc are all managed from a manager box which runs puppet. Using the SO .deb package frees me from having to fiddle around managing binary distros of the software I needed. I figure that SO keep close enough to the bleeding edge for me 
The OS stuff is also managed by puppet — my puppet server mirrors the config from our central puppet server.
I have been using this arrangement for several years and the most painful part was always upgrading the various sensor binaries. Puppet really assumes you have native package for all your software. I see there are .debs on the download server — is there an apt repository I can get them from too?
That still leaves argus for which there are no up to date official binary packages. But SO does have them.
I have suricata set up to use cores 10-15 — is there a straight forward way to assign bro to particular cores or should I just use open slather for everything?
In the 2.2 release that is coming soon there is a new config option for node.cfg where you can pin processes. It will make your worker configs look like this…
[worker-1]
type=worker
host=1.2.3.4
interface=eth2
lb_method=pf_ring
lb_procs=10
pin_cpus=2,3,4,5,6,7,8,9,10,11
I think that's a pretty straight forward configuration, but let me know if there isn't anything clear in it or if you have questions. You will only need to configure a single worker like that to load balance traffic on that host with the configured interface. broctl will create all of the worker processes it needs.
Even I can deal with that AT the moment I have entries for worker 1-4.
I've added the pf_ring spec to each of them.