Create an Account
username: password:
 
  MemeStreams Logo

Multi-node Bro Cluster Setup
search
Home Agent Weblogs Social Network Post Help About

Hijexx
Picture of Hijexx
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Hijexx's topics
Arts
  Movies
   Documentary
  Electronic Music
Business
  Finance & Accounting
  Telecom Industry
Games
Health and Wellness
Home and Garden
Miscellaneous
  Humor
Current Events
Recreation
Local Information
Science
  Biology
Society
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
  Media
Sports
Technology
  Computer Security
  Linux
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Multi-node Bro Cluster Setup
Topic: Computer Security 1:28 am EST, Dec 27, 2012

Bookmarked for future reference. I had been thinking about a way to "load balance" traffic across multiple Snort instances and thought about applying something like Cisco's etherchannel load-balance srt-dst-ip hashing algorithm.

Lo and behold, I found this great BPF kludge!

In our example, there will be four nodes monitoring traffic, so the BPF looks like this for the first node:
(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0
So, in /etc/bro/local.bro, we have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 0";
On the second node, we would have this:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 1";
Third:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 2";
And fourth:
redef cmd_line_bpf_filter="(ip[14:2]+ip[18:2]) - (4*((ip[14:2]+ip[18:2])/4)) == 3";

Special note: If you are monitoring a link that is still vlan tagged (like from an RSPAN), then you will need to stick vlan && in front of each of the BPF's.

Multi-node Bro Cluster Setup

Thread [1]


  
 
Powered By Industrial Memetics		RSS2.0