PFRING support on RPM packages

I’m overhauling some East / West sensors, and one thought is to deploy Zeek to minimize what we need to manage (as opposed to individual Snort / Argus sensors). Since these machines are using Intel 525 cards, I will be using PFRing as a load balancer. Does the bro RPM support this? I looked and don’t think so, though I wanted to ask here before rolling my own RPM.

Please excuse any typos / brevity, I'm on my mobile.
Thank you,

Don’t think they do either, especially since the official Zeek documentation includes a step on compiling from source to do it.

https://www.zeek.org/documentation/load-balancing.html

Just in case it helps, I wrote an article on installing Zeek from source with PF_RING on CentOS.

https://www.ericooi.com/zeekurity-zen-part-i-how-to-install-zeek-bro-on-centos-7/

I’m eventually going to change it to use AF_PACKET instead, as that’s what seems to be recommended in past threads from the Zeek folks. I’ve also been using AF_PACKET in my own production system at work without issues.

On 09/02/2019 15:51, Eric Ooi wrote:> I’m eventually going to change it to use AF_PACKET instead, as that’s what

seems to be recommended in past threads from the Zeek folks. I’ve also
been using AF_PACKET in my own production system at work without issues.

Note that the AF_Packet plugin does not need Bro/Zeek sources anymore to build as Bro/Zeek 2.6 comes with the necessary include files.

Jan