Security Onion Blog

Wednesday, February 27, 2013

Important note for those monitoring multiple interfaces with Bro


An issue was recently discovered in Bro 2.1 when monitoring multiple interfaces with PF_RING that could result in traffic loss.  This issue is targeted for resolution in Bro 2.2.

UPDATE 2013/05/13 - A new Setup package is now available which automatically disables Bro's PF_RING load balancing when multiple interfaces are being monitored:
http://securityonion.blogspot.com/2013/05/new-setup-package-avoids-bug-when.html

If you've already run Setup and selected multiple interfaces to monitor, please disable Bro's PF_RING load balancing as follows:
sudo broctl stop
sudo sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg
sudo sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg
sudo broctl install && sudo broctl start
For more information on the Bro issue, please see Bro Ticket #943.

at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Search This Blog

Featured Post

CentOS Stream 9 and other Unsupported Network Installations

In 2023, we announced that only official Security Onion images are supported and that network installations on certain Linux distros was pos...

Popular Posts

  • Security Onion 2.4 Base OS
    Introduction Recent events have forced us to change course on the base operating system (OS) for Security Onion 2.4.  On 6/21/2023, Red Hat ...
  • Community Webinars featuring Security Onion
    Thanks to all who attended the Zeek webinar on May 27! For those weren't able to join, the recording should be available soon and we wi...
  • Security Advisory for Squert
    Introduction Jeffrey Medsger reported several command injection and SQL injection vulnerabilities in Squert.  Wes Lambert also discovered s...

Blog Archive