Skip to content

Instantly share code, notes, and snippets.

@pnigos

pnigos/bro-notes.txt

Forked from PSJoshi/bro-notes.txt
Created April 1, 2017 15:52
Show Gist options
  • Save pnigos/7e3888ffcb646ae991633b69afce1a69 to your computer and use it in GitHub Desktop.
Save pnigos/7e3888ffcb646ae991633b69afce1a69 to your computer and use it in GitHub Desktop.
Download ZIP
Bro-IDS
Raw
bro-notes.txt
----------------------
NIC settings
----------------------
#turn off rx checksumming
ethtool -K eth1 rx off
# off tx checksumming
ethtool -K eth1 tx off
#turn off scatter-gather
ethtool -K eth1 sg off
#turn off tcp-segmentation-offload
ethtool -K eth1 tso off
#turn off generic-segmentation-offload
ethtool -K eth1 gso off
#turn off udp-fragmentation offload
ethtool -K eth1 ufo off
#turn off generic-receive-offload
ethtool -K eth1 gro off
# turn off large-receive-offload
ethtool -K eth1 lro off
# set the interface to 1000Mbps, full duplex
ethtool -s eth1 speed 1000 duplex full
# set MTU
ifconfig eth1 mtu 1514
ifconfig eth1 up
-----------------------------------------------
ifconfig - place eth1 in promiscous mode
Rehat/CentOS - /etc/sysconfig/network-scripts/ifcfg-eth1
------------------------------------------------
DEVICE=eth1
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
NM_CONTROLLED=no
IPV6_AUTOCONF=no
# for CentOS 7 or later: ip link set ethX promisc on
PROMISC=yes
#IPADDR=10.0.0.2
#PREFIX=24
#GATEWAY=10.0.0.1
#DNS=10.0.0.1
-------------------------------
Add 'ifup-local' script in /sbin
This scripts runs automatically once the ethernet 'eth1' interface is up.
More details - http://xmodulo.com/how-to-run-startup-script-automatically-after-network-interface-is-up-on-centos.html
-------------------------------
#!/bin/bash
# File: /sbin/ifup-local
#
# This script is run after normal sysconfig network-script configuration
# is performed on RHEL/CentOS-based systems.
#
# Parameters:
# $1: network interface name
#
# Post ifup configuration for tuning capture interfaces
# This is compatible with the ixgbe driver, YMMV
# Change this to something like /tmp/ifup-local.log for troubleshooting
#LOG=/dev/null
LOG=/tmp/ifup-local.log
case $1 in
eth1)
for i in rx tx sg tso ufo gso gro lro rxvlan txvlan
do
/usr/sbin/ethtool -K $1 $i off &>$LOG
done
/usr/sbin/ethtool -N $1 rx-flow-hash udp4 sdfn &>$LOG
/usr/sbin/ethtool -N $1 rx-flow-hash udp6 sdfn &>$LOG
/usr/sbin/ethtool -n $1 rx-flow-hash udp6 &>$LOG
/usr/sbin/ethtool -n $1 rx-flow-hash udp4 &>$LOG
/usr/sbin/ethtool -C $1 rx-usecs 10 &>$LOG
/usr/sbin/ethtool -C $1 adaptive-rx off &>$LOG
/usr/sbin/ethtool -G $1 rx 4096 &>$LOG
# Disable ipv6
echo 1 > /proc/sys/net/ipv6/conf/$1/disable_ipv6 &>$LOG
echo 0 > /proc/sys/net/ipv6/conf/$1/autoconf &>$LOG
# Set promiscuous mode
ip link set $1 promisc on &>$LOG
# Just in case ipv6 is already on this interfaces, let's kill it
ip addr show dev $1 | grep --silent inet6
if [ $? -eq 0 ]
then
ADDR=$(ip addr show dev $1 | grep inet6 | awk '{ print $2 }')
ip addr del $ADDR dev $1 &>$LOG
fi
;;
*)
# No post commands needed for this interface
;;
esac
-----------------------------------------------
Add executable permissions for ifup-local script
------------------------------------------------
chmod +x /sbin/ifup-local
------------------------------------
sysctl parameters tunning - /etc/sysctl.conf
------------------------------------
echo 'net.core.somaxconn = 20000' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 67108864' >> /etc/sysctl.conf
echo 'net.core.rmem_max = 67108864' >> /etc/sysctl.conf
echo 'net.core.netdev_max_backlog = 20000' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_max_tw_buckets = 262144' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_max_syn_backlog = 8096' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_timestamps = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_window_scaling = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_sack = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_retrans_collapse = 1' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_max_syn_backlog = 8096' >> /etc/sysctl.conf
echo 'net.ipv4.ip_local_port_range = 16384 61000' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_mem = 2303808 3071744 67108864' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_wmem = 4096 524288 67108864' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_rmem = 4096 524288 67108864' >> /etc/sysctl.conf
# To get a list of congestion control algorithms that are available in your kernel (if you are running 2.6.20 or higher), run:
# sysctl net.ipv4.tcp_available_congestion_control
# Reference - https://fasterdata.es.net/host-tuning/linux/expert/
# Do a 'modprobe tcp_htcp'
echo 'net.ipv4.tcp_congestion_control = htcp' >> /etc/sysctl.conf
#net.ipv4.tcp_available_congestion_control = htcp cubic reno
#net.ipv4.tcp_allowed_congestion_control = htcp cubic reno
echo 'net.core.rmem_default = 67108864' >> /etc/sysctl.conf
echo 'net.core.wmem_default = 67108864' >> /etc/sysctl.conf
echo 'fs.file-max = 2442072' >> /etc/sysctl.conf
Apply the above settings
sudo sysctl -p
-----------------------
Install EPEL repository
---------------------------
wget http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6.8.noarch.rpm
rpm -ivh epel-release-6.8.noarch.rpm
--------------------
Upgrade cmake if required
-------------------
# cmake version of CentOS 6/Scientific Linux 6 repository is old. - cmake-2.6.4-5.el6.x86_64
# EPEL repository contains cmake 2.8 version - cmake28-2.8.11.2-1.el6.x86_64
#yum remove cmake
yum install cmake28
ln -s /usr/bin/cmake28 /usr/bin/cmake
ln -s /usr/bin/ccmake28 /usr/bin/ccmake
ln -s /usr/bin/cpack28 /usr/bin/cpack
ln -s /usr/bin/ctest28 /usr/bin/ctest
If you wish, you can download rpm from internet or look for cmake28 or later in CentOS6.x/SL6.x repositories.
----------------------------
Install Bro dependencies
----------------------------
yum install kernel-devel kernel-headers -y
yum install make autoconf automake gcc gcc-c++ flex bison libpcap libpcap-devel -y
yum install openssl openssl-devel python-devel swig zlib zlib-devel -y
yum install openssl-libs bind-libs -y
yum install gawk -y
yum install pcre-devel -y
yum install libtool -y
yum install numactl numactl-devel -y
yum install gperftools-libs gperftools-devel -y
yum install GeoIP GeoIP-devel -y
yum install jemalloc jemalloc-devel -y
yum install curl -y
yum install libcurl-devel -y
yum install file-devel -y
yum install libarchive libarchive-devel -y
---------------------------
ipsumdump installation
----------------------------
#wget http://www.read.seas.harvard.edu/~kohler/ipsumdump
#tar -zxvf ipsumdump-1.85.tar.gz
#cd ipsumdump-1.85
#./configure
#make && make install
-----------------------------------------------------------
set environment - required during python compilation
-------------------------------------------------------------
#export LDFLAGS=-L/usr/local/lib
#export CFLAGS=-I/usr/local/include
#export CPPFLAGS=-I/usr/local/include
#export LD_LIBRARY_PATH=/usr/local/lib
-------------------------------------
Python installation - 2.7.10 or more
------------------------------------
# CentOS6.x comes with python2.6 by default. Bro requires python2.7 at least for Broccoli component.
#Please do not try to remove existing python version as it will remove many python dependent packages e.g. yum requires python2.6 that comes default with SL/CentOS distribution.
# So, install python 2.7.x in addition to existing python 2.6.6
#wget http://www.python.org/ftp/python/2.7.10/Python-2.7.10.tgz
#tar -zxvf Python-2.7.10.tgz
#cd Python-2.7.10
#./configure --prefix=/usr/local --enable-unicode=ucs4 --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
#make
#make altinstall
#ln -s /usr/local/bin/python2.7 /usr/bin/python2.7
Add python to system path
#export PATH=$PATH:/usr/local/bin/python2.7
------------------------
python pip installation
--------------------------
# wget get-pip.py from https://bootstrap.pypa.io/get-pip.py
#python2.7 get-pip.py
#ln -s /usr/local/bin/pip2.7 /usr/bin/pip2.7
----------------------------------------------------------
Install python pysubnettree module and handle sqlite3 issue
-----------------------------------------------------------
# It is presumed that python(python2.6.10) has been installed as a part of default installation. Copy sqlite3.so module to new python path
#cp /usr/lib64/python2.6/lib-dynload/_sqlite3.so /usr/local/lib/python2.7/sqlite3/
Now, install pysubnettree python package:
#pip2.7 install pysubnettree
--------------------------------------
Download, install and configure PF_RING
-----------------------------------------
You should follow instructions available at Bro site for PF_RING installation - https://www.bro.org/documentation/load-balancing.html
Download the latest pf_ring source from http://www.ntop.org/get-started/download/#PF_RING
Now, compile/install various libraries required for PF_RING:
#cd /usr/src
#tar -zxvf PF_RING-6.0.3.tar.gz
#cd PF_RING-6.0.3/userland/lib
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../libpcap
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../tcpdump-4.1.1
#./configure --prefix=/opt/pfring
#make
#make install
#cd ../../kernel
(During kernel 'make' installation step, compile(make) it as normal user rather than as a root.)
#make
#make install
#Note - Please make sure that your kernel-devel, kernel-headers and kernel rpms have same major/minor versions. If not, you will encounter error in make step.
#e.g.
# rpm -qa |grep -i kernel
kernel-headers-2.6.32-431.1.2.el6.x86_64
kernel-devel-2.6.32-431.1.2.el6.x86_64
kernel-2.6.32-431.1.2.el6.x86_64
Add pf_ring module at start up:
#modprobe pf_ring enable_tx_capture=0 min_num_slots=32768
-------------------------
Check status of PF_ring
-------------------------
# modinfo pf_ring
# cat /proc/net/pf_ring/info
# lsmod |grep -i pf_ring
If you wish to blacklist pf_ring module:
echo "blacklist pf_ring" >> /etc/modprobe.d/blacklist.conf
-------------------------------------
Download, install and configure Bro
--------------------------------------
Download Bro from bro site - http://www.bro.org/download/index.html
cd bro-2.4.1
./configure --with-pcap=/opt/pfring --enable-debug --enable-perftools --enable-jemalloc
make && make install
Verify that Bro is using pf_ring libraries (Bro is correctly linked to the required libpcap libraries)
ldd /usr/local/bro/bin/bro | grep pcap
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007fa6d7d24000)
Various check that ensure that Bro is correctly configured and is working correctly as desired!!
# Append a crontab entry.
entry="0-55/5 * * * * $prefix/bin/broctl cron"
(crontab -l; echo "$entry" ) | crontab -
export PATH=$PATH:/usr/local/bro/bin
Deploy bro configuration
/usr/local/bro/bin/broctl deploy
------------------------------------------------------------------------------
capstats output: - make sure that nic_drops=0 otherwise, there is some issue!
------------------------------------------------------------------------------
[root@ids bro-2.4.1]# capstats -i eth1 -I 10 -n 10
1461129498.908812 pkts=150393 kpps=14.9 kbytes=111351 mbps=90.4 nic_pkts=150393 nic_drops=0 u=29 t=75160 i=0 o=0 nonip=75204
1461129508.908865 pkts=163641 kpps=16.4 kbytes=124721 mbps=102.2 nic_pkts=314034 nic_drops=0 u=15 t=81798 i=0 o=0 nonip=81828
1461129518.908912 pkts=137845 kpps=13.8 kbytes=102063 mbps=83.6 nic_pkts=451879 nic_drops=0 u=46 t=68869 i=0 o=0 nonip=68930
1461129528.908962 pkts=149581 kpps=15.0 kbytes=107227 mbps=87.8 nic_pkts=601460 nic_drops=0 u=30 t=74753 i=0 o=0 nonip=74798
1461129538.909008 pkts=157781 kpps=15.8 kbytes=122515 mbps=100.4 nic_pkts=759241 nic_drops=0 u=17 t=78866 i=0 o=0 nonip=78898
1461129548.910683 pkts=155546 kpps=15.6 kbytes=120246 mbps=98.5 nic_pkts=914787 nic_drops=0 u=30 t=77736 i=0 o=0 nonip=77780
1461129558.910729 pkts=201705 kpps=20.2 kbytes=162725 mbps=133.3 nic_pkts=1116492 nic_drops=0 u=19 t=100825 i=1 o=0 nonip=100860
1461129568.910775 pkts=201740 kpps=20.2 kbytes=162592 mbps=133.2 nic_pkts=1318232 nic_drops=0 u=34 t=100828 i=0 o=0 nonip=100878
1461129578.910825 pkts=264087 kpps=26.4 kbytes=224337 mbps=183.8 nic_pkts=1582319 nic_drops=0 u=16 t=132020 i=0 o=0 nonip=132051
1461129588.910871 pkts=163697 kpps=16.4 kbytes=129138 mbps=105.8 nic_pkts=1746016 nic_drops=0 u=30 t=81810 i=1 o=0 nonip=81856
------------------------------------------------------------------
netstats using broctl: make sure that dropped=0 is present always!
-------------------------------------------------------------------
[root@ids bro-2.4.1]# broctl netstats
worker-1-1: 1461130120.469154 recvd=3605586 dropped=0 link=3605586
worker-1-2: 1461130120.667704 recvd=3060021 dropped=0 link=3060021
worker-2-1: 1461130120.870726 recvd=3275393 dropped=0 link=3275393
worker-2-2: 1461130121.074453 recvd=3205035 dropped=0 link=3205035
worker-3-1: 1461130121.272134 recvd=5599450 dropped=0 link=5599450
worker-3-2: 1461130121.492023 recvd=3260891 dropped=0 link=3260891
worker-4-1: 1461130121.674467 recvd=2749362 dropped=0 link=2749362
worker-4-2: 1461130121.874181 recvd=2911576 dropped=0 link=2911576
----------------------
Capture loss script
----------------------
Do not forget to add capture loss script to bro site configuration:
[root@ids bro-2.4.1]# cat /usr/local/bro/share/bro/site/local.bro |grep -i cap
@load misc/capture-loss.bro
Check if any packet loss is reported in notice.log
[root@ids bro-2.4.1]# tail -f /backup/bro/logs/current/notice.log |grep -i capture
----------------------------------------------------------------------
Ethernet interface statistics - have a look to see if everything is ok!
-----------------------------------------------------------------------
[root@ids userland]# ethtool -S eth1
NIC statistics:
rx_packets: 44394071916
tx_packets: 6
rx_bytes: 41858558934856
tx_bytes: 492
rx_broadcast: 11568535
tx_broadcast: 0
rx_multicast: 2808
tx_multicast: 6
rx_errors: 8
tx_errors: 0
tx_dropped: 0
multicast: 2808
collisions: 0
rx_length_errors: 8
rx_over_errors: 0
rx_crc_errors: 0
rx_frame_errors: 0
rx_no_buffer_count: 1429
rx_missed_errors: 578
tx_aborted_errors: 0
tx_carrier_errors: 0
tx_fifo_errors: 0
tx_heartbeat_errors: 0
tx_window_errors: 0
tx_abort_late_coll: 0
tx_deferred_ok: 0
tx_single_coll_ok: 0
tx_multi_coll_ok: 0
tx_timeout_count: 0
tx_restart_queue: 0
rx_long_length_errors: 0
rx_short_length_errors: 8
rx_align_errors: 0
tx_tcp_seg_good: 0
tx_tcp_seg_failed: 0
rx_flow_control_xon: 0
rx_flow_control_xoff: 0
tx_flow_control_xon: 0
tx_flow_control_xoff: 0
rx_long_byte_count: 41858558934856
rx_csum_offload_good: 43716692832
rx_csum_offload_errors: 0
rx_header_split: 0
alloc_rx_buff_failed: 0
tx_smbus: 0
rx_smbus: 0
dropped_smbus: 0
rx_dma_failed: 0
tx_dma_failed: 0
rx_hwtstamp_cleared: 0
uncorr_ecc_errors: 0
corr_ecc_errors: 0
tx_hwtstamp_timeouts: 0
--------------------------
Ethernet statistics
---------------------------
[root@ids userland]# ethtool -c eth1
Coalesce parameters for eth1:
Adaptive RX: off TX: off
stats-block-usecs: 0
sample-interval: 0
pkt-rate-low: 0
pkt-rate-high: 0
rx-usecs: 3
rx-frames: 0
rx-usecs-irq: 0
rx-frames-irq: 0
tx-usecs: 0
tx-frames: 0
tx-usecs-irq: 0
tx-frames-irq: 0
rx-usecs-low: 0
rx-frame-low: 0
tx-usecs-low: 0
tx-frame-low: 0
rx-usecs-high: 0
rx-frame-high: 0
tx-usecs-high: 0
tx-frame-high: 0
------------------
PF_RING outputs
-------------------
[root@ids userland]# cat /proc/net/pf_ring/info
PF_RING Version : 6.0.3 ($Revision: exported$)
Total rings : 8
Standard (non DNA/ZC) Options
Ring slots : 32768
Slot version : 16
Capture TX : No [RX only]
IP Defragment : No
Socket Mode : Standard
Total plugins : 0
Cluster Fragment Queue : 0
Cluster Fragment Discard : 0
[root@ids userland]# cat /proc/net/pf_ring/21751-eth1.12
Bound Device(s) : eth1
Active : 1
Breed : Standard
Appl. Name : bro-eth1
Socket Mode : RX+TX
Capture Direction : RX+TX
Sampling Rate : 1
IP Defragment : No
BPF Filtering : Enabled
# Sw Filt. Rules : 0
# Hw Filt. Rules : 0
Poll Pkt Watermark : 1
Num Poll Calls : 8073938
Channel Id Mask : 0xFFFFFFFFFFFFFFFF
Cluster Id : 21
Slot Version : 16 [6.0.3]
Min Num Slots : 32768
Bucket Len : 8192
Slot Len : 8232 [bucket+header]
Tot Memory : 269758464
Tot Packets : 3090727
Tot Pkt Lost : 0
Tot Insert : 3090727
Tot Read : 3090717
Insert Offset : 251171448
Remove Offset : 251168624
Num Free Slots : 32758
TX: Send Ok : 0
TX: Send Errors : 0
Reflect: Fwd Ok : 0
Reflect: Fwd Errors: 0
------------------
Bro - configuration
---------------------
[root@ids userland]# broctl config
bindir = /usr/local/bro/bin
bro = /usr/local/bro/bin/bro
bro-crashed = False
bro-expect-running = False
bro-host = localhost
bro-pid = None
bro-port = 47760
broargs =
brobase = /usr/local/bro
broctlconfigdir = /backup/bro/spool
broport = 47760
broscriptdir = /usr/local/bro/share/bro
broversion = 2.4.1
capstatspath = /usr/local/bro/bin/capstats
cfgdir = /usr/local/bro/etc
cflowaddress =
cflowpassword =
cflowuser =
commandtimeout = 60
commtimeout = 10
compresscmd = gzip -9
compressextension = gz
compresslogs = 1
cron = 0
croncmd =
debug = 0
debuglog = /backup/bro/spool/debug.log
env_vars =
hash-broctlcfg = 3467248684
hash-nodecfg = 1814322202
havenfs = 0
helperdir = /usr/local/bro/share/broctl/scripts/helpers
ipv6comm = 1
keeplogs =
libdir = /usr/local/bro/lib
libdirinternal = /usr/local/bro/lib/broctl
localnetscfg = /usr/local/bro/etc/networks.cfg
lockfile = /backup/bro/spool/lock
logdir = /backup/bro/logs
logexpireinterval = 0
logrotationinterval = 3600
mailalarmsinterval = 86400
mailalarmsto = root@localhost
mailconnectionsummary = 1
mailfrom = Big Brother <[email protected]>
mailhostupdown = 1
mailreplyto =
mailsubjectprefix = [Bro]
mailto = root@localhost
makearchivename = /usr/local/bro/share/broctl/scripts/make-archive-name
manager-crashed = False
manager-expect-running = True
manager-host = localhost
manager-pid = 21649
manager-port = 47761
memlimit = unlimited
mindiskspace = 5
nodecfg = /usr/local/bro/etc/node.cfg
os = linux
pfringclusterid = 21
pfringclustertype = 4-tuple
pfringfirstappinstance = 0
pin_command = taskset -c
plugindir = /usr/local/bro/lib/broctl/plugins
policydir = /usr/local/bro/share/bro
policydirsiteinstall = /backup/bro/spool/installed-scripts-do-not-touch/site
policydirsiteinstallauto = /backup/bro/spool/installed-scripts-do-not-touch/auto
postprocdir = /usr/local/bro/share/broctl/scripts/postprocessors
prefixes = local
proxy-1-crashed = False
proxy-1-expect-running = True
proxy-1-host = localhost
proxy-1-pid = 21687
proxy-1-port = 47762
savetraces = 0
scriptsdir = /usr/local/bro/share/broctl/scripts
sendmail = /usr/sbin/sendmail
sigint = 0
sitepluginpath =
sitepolicymanager = local-manager.bro
sitepolicypath = /usr/local/bro/share/bro/site
sitepolicystandalone = local.bro
sitepolicyworker = local-worker.bro
spooldir = /backup/bro/spool
standalone = 0
statefile = /backup/bro/spool/state.db
staticdir = /usr/local/bro/share/broctl
statsdir = /backup/bro/logs/stats
statslog = /backup/bro/spool/stats.log
statslogenable = 1
statslogexpireinterval = 0
statuscmdshowall = 1
stoptimeout = 60
test.enabled = 0
test.foo = 1
time = /usr/bin/time
timefmt = %d %b %H:%M:%S
timemachinehost =
timemachineport = 47757/tcp
tmpdir = /backup/bro/spool/tmp
tmpexecdir = /backup/bro/spool/tmp
tracesummary = /usr/local/bro/bin/trace-summary
version = 1.4
worker-1-1-crashed = False
worker-1-1-expect-running = True
worker-1-1-host = localhost
worker-1-1-pid = 21751
worker-1-1-port = 47763
worker-1-2-crashed = False
worker-1-2-expect-running = True
worker-1-2-host = localhost
worker-1-2-pid = 21774
worker-1-2-port = 47764
worker-1-3-crashed = False
worker-1-3-expect-running = False
worker-1-3-host = localhost
worker-1-3-pid = None
worker-1-3-port = 47765
worker-1-crashed = False
worker-1-expect-running = False
worker-1-host = localhost
worker-1-pid = None
worker-1-port = 47763
worker-2-1-crashed = False
worker-2-1-expect-running = True
worker-2-1-host = localhost
worker-2-1-pid = 21782
worker-2-1-port = 47765
worker-2-2-crashed = False
worker-2-2-expect-running = True
worker-2-2-host = localhost
worker-2-2-pid = 21796
worker-2-2-port = 47766
worker-2-3-crashed = False
worker-2-3-expect-running = False
worker-2-3-host = localhost
worker-2-3-pid = None
worker-2-3-port = 47768
worker-2-crashed = False
worker-2-expect-running = False
worker-2-host = localhost
worker-2-pid = None
worker-2-port = 47764
worker-3-1-crashed = False
worker-3-1-expect-running = True
worker-3-1-host = localhost
worker-3-1-pid = 21802
worker-3-1-port = 47767
worker-3-2-crashed = False
worker-3-2-expect-running = True
worker-3-2-host = localhost
worker-3-2-pid = 21804
worker-3-2-port = 47768
worker-3-3-crashed = False
worker-3-3-expect-running = False
worker-3-3-host = localhost
worker-3-3-pid = None
worker-3-3-port = 47771
worker-3-crashed = False
worker-3-expect-running = False
worker-3-host = localhost
worker-3-pid = None
worker-3-port = 47765
worker-4-1-crashed = False
worker-4-1-expect-running = True
worker-4-1-host = localhost
worker-4-1-pid = 21803
worker-4-1-port = 47769
worker-4-2-crashed = False
worker-4-2-expect-running = True
worker-4-2-host = localhost
worker-4-2-pid = 21808
worker-4-2-port = 47770
worker-4-crashed = False
worker-4-expect-running = False
worker-4-host = localhost
worker-4-pid = None
worker-4-port = 47766
worker-5-crashed = False
worker-5-expect-running = False
worker-5-host = localhost
worker-5-pid = None
worker-5-port = 47767
zoneid =
-----------------------------
Bro - node configuration
------------------------------
[root@ids bro-2.4.1]# cat /usr/local/bro/etc/node.cfg
# Example BroControl node configuration.
#
# This example has a standalone node ready to go except for possibly changing
# the sniffing interface.
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
#[bro]
#type=standalone
#host=localhost
#interface=eth1
## Below is an example clustered configuration. If you use this,
## remove the [bro] node above.
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
# approx. guidance - number of lb_procs to be half of number of CPU/Cores available.
lb_procs=2
pin_cpus=2,3
#
[worker-2]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=2
pin_cpus=2,3
#
[worker-3]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=2
pin_cpus=2,3
[worker-4]
type=worker
host=localhost
interface=eth1
lb_method=pf_ring
lb_procs=2
pin_cpus=2,3
#[worker-5]
#type=worker
#host=localhost
#interface=eth1
-------------------------
NIC buffer configurations
-----------------------
[root@ids userland]# sysctl -a |grep net.core.rmem
net.core.rmem_max = 67108864
net.core.rmem_default = 67108864
[root@ids userland]# sysctl -a |grep tcp_rmem
net.ipv4.tcp_rmem = 4096 524288 16777216
[root@ids userland]# sysctl -a |grep netdev_max
net.core.netdev_max_backlog = 20000
-----------------
Interesting links
-----------------
https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration
http://ossectools.blogspot.in/2012/10/multi-node-bro-cluster-setup-howto.html
https://www.bro.org/documentation/load-balancing.html
https://www.sans.org/reading-room/whitepapers/detection/capturing-10g-1g-traffic-correct-settings-33043
https://github.com/Security-Onion-Solutions/security-onion/wiki/ProductionDeployment
Performance and security related sysctl settings - https://github.com/zchee/h2o-proxy/blob/master/sysctl.conf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment