An issue was recently discovered in Bro 2.1 when monitoring multiple interfaces with PF_RING that could result in traffic loss. This issue is targeted for resolution in Bro 2.2.
UPDATE 2013/05/13 - A new Setup package is now available which automatically disables Bro's PF_RING load balancing when multiple interfaces are being monitored:
http://securityonion.blogspot.com/2013/05/new-setup-package-avoids-bug-when.html
If you've already run Setup and selected multiple interfaces to monitor, please disable Bro's PF_RING load balancing as follows:
sudo broctl stopFor more information on the Bro issue, please see Bro Ticket #943.
sudo sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg
sudo sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg
sudo broctl install && sudo broctl start
No comments:
Post a Comment