Important note if you have a Security Onion sensor that is sniffing multiple interfaces
472 views
Skip to first unread message
Doug Burks
Feb 7, 2013, 7:35:45 AM2/7/13
to securit...@googlegroups.com
Hello Security Onion users,
If you have a Security Onion sensor that is sniffing multiple
interfaces using multiple PF_RING instances per interface, please read
this email in its entirety!
There is a known issue when sniffing multiple interfaces using
multiple PF_RING instances per interface that could result in traffic
loss. This issue affects Snort and Bro (see the full Bro email
below). I'll be working on updating our NSM scripts to fix the Snort
issue and Bro will have a fix in Bro 2.2. Suricata should not be
affected by this because our NSM scripts should already be placing
unique PF_RING cluster id's in suricata.yaml (but I haven't tested
this to confirm). None of our other sniffing processes use PF_RING so
they shouldn't be affected either.
In the meantime, to ensure you aren't missing any traffic, please do
the following:
# Stop all sensor processes:
sudo nsm_sensor_ps-stop
# edit /etc/nsm/*/sensor.conf and change IDS_LB_PROCS to 1
# edit /opt/bro/etc/node.cfg and change all instances of lb_procs to 1
# Install new Bro configuration:
- sudo broctl install
# Start all sensor processes:
- sudo nsm_sensor_ps-start
I'll follow up when we have an updated NSM scripts package that
properly sets the PF_RING cluster id for Snort when running on
multiple interfaces.
Thanks,
Doug
---------- Forwarded message ----------
From: Bro Tracker <b...@tracker.bro-ids.org>
Date: Wed, Feb 6, 2013 at 2:06 PM
Subject: [Bro-Dev] #943: PF_Ring plugin to support load balancing
while sniffing multiple interfaces
To: se...@icir.org, dnth...@ncsa.illinois.edu
Cc: bro...@bro-ids.org
#943: PF_Ring plugin to support load balancing while sniffing multiple
interfaces
------------------------+------------------------
Reporter: seth | Owner: dnthayer
Type: Problem | Status: new
Priority: Medium | Milestone: Bro2.2
Component: BroControl | Version: git/master
Keywords: |
------------------------+------------------------
As reported by Jordi Ros-Giralt, if you want to sniff two interfaces on
the same host and load balance each interface across several workers there
are problems where all of the traffic is not monitored because it's all
put into the same pf_ring cluster id.
I suspect we need to do two things:
- Make cluster_id settable in the worker config as an override for the
global option.
- Make the plugin watch for multiple load balancing rings on the same
host (is this possible with the current plugin architecture?) and adapt by
making the second load balancing ring use the global value +1.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/943>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
_______________________________________________
bro-dev mailing list
bro...@bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Doug Burks
http://securityonion.blogspot.com
If you have a Security Onion sensor that is sniffing multiple
interfaces using multiple PF_RING instances per interface, please read
this email in its entirety!
There is a known issue when sniffing multiple interfaces using
multiple PF_RING instances per interface that could result in traffic
loss. This issue affects Snort and Bro (see the full Bro email
below). I'll be working on updating our NSM scripts to fix the Snort
issue and Bro will have a fix in Bro 2.2. Suricata should not be
affected by this because our NSM scripts should already be placing
unique PF_RING cluster id's in suricata.yaml (but I haven't tested
this to confirm). None of our other sniffing processes use PF_RING so
they shouldn't be affected either.
In the meantime, to ensure you aren't missing any traffic, please do
the following:
# Stop all sensor processes:
sudo nsm_sensor_ps-stop
# edit /etc/nsm/*/sensor.conf and change IDS_LB_PROCS to 1
# edit /opt/bro/etc/node.cfg and change all instances of lb_procs to 1
# Install new Bro configuration:
- sudo broctl install
# Start all sensor processes:
- sudo nsm_sensor_ps-start
I'll follow up when we have an updated NSM scripts package that
properly sets the PF_RING cluster id for Snort when running on
multiple interfaces.
Thanks,
Doug
---------- Forwarded message ----------
From: Bro Tracker <b...@tracker.bro-ids.org>
Date: Wed, Feb 6, 2013 at 2:06 PM
Subject: [Bro-Dev] #943: PF_Ring plugin to support load balancing
while sniffing multiple interfaces
To: se...@icir.org, dnth...@ncsa.illinois.edu
Cc: bro...@bro-ids.org
#943: PF_Ring plugin to support load balancing while sniffing multiple
interfaces
------------------------+------------------------
Reporter: seth | Owner: dnthayer
Type: Problem | Status: new
Priority: Medium | Milestone: Bro2.2
Component: BroControl | Version: git/master
Keywords: |
------------------------+------------------------
As reported by Jordi Ros-Giralt, if you want to sniff two interfaces on
the same host and load balance each interface across several workers there
are problems where all of the traffic is not monitored because it's all
put into the same pf_ring cluster id.
I suspect we need to do two things:
- Make cluster_id settable in the worker config as an override for the
global option.
- Make the plugin watch for multiple load balancing rings on the same
host (is this possible with the current plugin architecture?) and adapt by
making the second load balancing ring use the global value +1.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/943>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
_______________________________________________
bro-dev mailing list
bro...@bro-ids.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Doug Burks
http://securityonion.blogspot.com
Doug Burks
Feb 27, 2013, 8:28:16 AM2/27/13
to securit...@googlegroups.com
Follow-up:
http://securityonion.blogspot.com/2013/02/new-nsm-scripts-package-now-available.html
http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html
Doug
http://securityonion.blogspot.com/2013/02/new-nsm-scripts-package-now-available.html
http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html
Doug
Reply all
Reply to author
Forward
0 new messages