Wednesday, February 27, 2013

Important note for those monitoring multiple interfaces with Bro


An issue was recently discovered in Bro 2.1 when monitoring multiple interfaces with PF_RING that could result in traffic loss.  This issue is targeted for resolution in Bro 2.2.

UPDATE 2013/05/13 - A new Setup package is now available which automatically disables Bro's PF_RING load balancing when multiple interfaces are being monitored:
http://securityonion.blogspot.com/2013/05/new-setup-package-avoids-bug-when.html

If you've already run Setup and selected multiple interfaces to monitor, please disable Bro's PF_RING load balancing as follows:
sudo broctl stop
sudo sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg
sudo sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg
sudo broctl install && sudo broctl start
For more information on the Bro issue, please see Bro Ticket #943.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.