Create an Account
username: password:
  MemeStreams Logo

MemeStreams Discussion


This page contains all of the posts and discussion on MemeStreams referencing the following web page: Multi-node Bro Cluster Setup. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Multi-node Bro Cluster Setup
by Hijexx at 1:28 am EST, Dec 27, 2012

Bookmarked for future reference. I had been thinking about a way to "load balance" traffic across multiple Snort instances and thought about applying something like Cisco's etherchannel load-balance srt-dst-ip hashing algorithm.

Lo and behold, I found this great BPF kludge!

In our example, there will be four nodes monitoring traffic, so the BPF looks like this for the first node:
(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0
So, in /etc/bro/local.bro, we have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0";
On the second node, we would have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 1";
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 2";
And fourth:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 3";

Special note: If you are monitoring a link that is still vlan tagged (like from an RSPAN), then you will need to stick vlan && in front of each of the BPF's.

Powered By Industrial Memetics