[security-onion] Bro and Myricom

I've thrown about 1.5Gbit of traffic on the host, give it or take 500Mbit.

12 workers. Bro from the svn (oh well).

Hm, are you using our git repository? Or are you using some old version from our subversion repository that still exists (but hasn't been touched for a long time)?

Myricom support told me to:

"And also make sure that you are using the latest Bro 2.0 and that the Sniffer environment flags are set in /usr/local/bro/lib/broctl/BroControl/control.py:

env += " SNF_NUM_RINGS=12 SNF_FLAGS=0x1"

What?!? Myricom support is telling people that! That's not the right way to do it (with 2.1 and we don't really support 2.0 anymore).


That's how you should be doing it in node.cfg. No changes in python are required.

Would you mind putting me in touch with whomever you contacted at Myricom support?

I've also recompilled Bro against the vendor provided pcap lib. So far so good.

Could you paste the exact configure flags you used?

fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }])

It looks like you may have something out of date, but I'm not really sure what's causing this error.

Could you please move discussions like this over to the Bro mailing list too? This thread is solidly Bro and not exactly related to SO.