Wednesday, February 27, 2013

Important note for those monitoring multiple interfaces with Bro


An issue was recently discovered in Bro 2.1 when monitoring multiple interfaces with PF_RING that could result in traffic loss.  This issue is targeted for resolution in Bro 2.2.

UPDATE 2013/05/13 - A new Setup package is now available which automatically disables Bro's PF_RING load balancing when multiple interfaces are being monitored:
http://securityonion.blogspot.com/2013/05/new-setup-package-avoids-bug-when.html

If you've already run Setup and selected multiple interfaces to monitor, please disable Bro's PF_RING load balancing as follows:
sudo broctl stop
sudo sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg
sudo sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg
sudo broctl install && sudo broctl start
For more information on the Bro issue, please see Bro Ticket #943.

No comments:

Search This Blog

Featured Post

Security Onion 2.4.111 now available!

In October, we released version 2.4.110: https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html Last week, Surica...

Popular Posts

Blog Archive