Bro Clusters Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro - - PowerPoint PPT Presentation

bro clusters
SMART_READER_LITE
LIVE PREVIEW

Bro Clusters Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro - - PowerPoint PPT Presentation

Mar 10, 2023 194 likes •395 views

Bro Clusters Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Thursday, November 17, 2011 Someone here is analyzing 7Gbps of mixed traffic with Bro. With everything turned on! Bro Workshop 2011 2 Thursday, November

slide-1
SLIDE 1

Bro Workshop 2011

Bro Workshop 2011 NCSA, Urbana-Champaign, IL

Bro Clusters

Thursday, November 17, 2011

slide-2
SLIDE 2

Bro Workshop 2011

  • Someone here is analyzing 7Gbps of mixed

traffic with Bro.

  • With everything turned on!

2

Thursday, November 17, 2011

slide-3
SLIDE 3

Bro Workshop 2011

  • Bro is single threaded.
  • Difficult to adapt multithreading into code base

as it is.

  • Conceptually Bro is very parallelizable but we

arenʼt taking the bruteforce approach to adding multithreading.

  • This is a topic for a different time.

Cluster Purpose

3

Thursday, November 17, 2011

slide-4
SLIDE 4

Bro Workshop 2011

  • Initially implemented as Bro scripts and all

nodes needed to be started manually.

  • BroControl was originally called “Bro Cluster

Shell” and contained all of the Bro script support for clusters but automated the tedium.

  • 2.0 introduces the cluster framework which

is more abstraction of all previous work and ideas.

Cluster Background

4

Thursday, November 17, 2011

slide-5
SLIDE 5

Bro Workshop 2011

Cluster Layout

  • Set of Bro processes acting a single entity.
  • Split Bro functionality across node types.
  • Manager
  • Proxies
  • Workers

5

Thursday, November 17, 2011

slide-6
SLIDE 6

Bro Workshop 2011

Manager

  • Receives logs
  • Handles notices

6

Thursday, November 17, 2011

slide-7
SLIDE 7

Bro Workshop 2011

Proxy

  • Synchronizes limited state

information across workers.

  • For example: active local IP

addresses

  • Does not examine packets.

7

Thursday, November 17, 2011

slide-8
SLIDE 8

Bro Workshop 2011

Worker

  • Sniffs traffic
  • Performs protocol analysis
  • Generally, most of the heavy lifting

8

Thursday, November 17, 2011

slide-9
SLIDE 9

Bro Workshop 2011

Frontend

  • Not a Bro process!

9

Thursday, November 17, 2011

slide-10
SLIDE 10

Bro Workshop 2011

Bidirectional Flow Load Balancing

  • Turn a large “pipe” into many bundles of

sessions.

  • Most common balancing is 4- or 5-tuple
  • 4-tuple - SRC_IP+SRC_PORT+DST_IP+DST_PORT
  • 5-tuple - SRC_IP+SRC_PORT+DST_IP+DST_PORT+PROTO
  • Network based balancing.
  • Host base balancing.

10

Thursday, November 17, 2011

slide-11
SLIDE 11

Bro Workshop 2011

11

Thursday, November 17, 2011

slide-12
SLIDE 12

Bro Workshop 2011

BroControl

  • Cluster layout specification.
  • Easy management and control of large numbers
  • f processes on large numbers of physical

hosts.

12

Thursday, November 17, 2011

slide-13
SLIDE 13

Bro Workshop 2011

BroControl in “standalone” mode

13

[bro] type=standalone host=localhost interface=en1

node.cfg

Thursday, November 17, 2011

slide-14
SLIDE 14

Bro Workshop 2011

BroControl in “cluster” mode

14

node.cfg

[manager] type=manager host=192.168.1.72 [proxy-1] type=proxy host=192.168.1.72 [worker-1] type=worker host=192.168.1.72 interface=eth0 [worker-2] type=worker host=192.168.1.72 interface=eth1

Thursday, November 17, 2011

slide-15
SLIDE 15

Bro Workshop 2011

15

$ sudo /bro/bin/broctl Password: Welcome to BroControl 0.41-128 Type "help" for help. [BroControl] >

Thursday, November 17, 2011

slide-16
SLIDE 16

Bro Workshop 2011

16

[BroControl] > check manager is ok. proxy-1 is ok. worker-1 is ok. worker-2 is ok.

Thursday, November 17, 2011

slide-17
SLIDE 17

Bro Workshop 2011

17

[BroControl] > install removing old policies in /usr/local/bro/spool/policy/site ... done. removing old policies in /usr/local/bro/spool/policy/auto ... done. creating policy directories ... done. installing site policies ... done. generating cluster-layout.bro ... done. generating local-networks.bro ... done. generating broctl-config.bro ... done. updating nodes ... done.

Thursday, November 17, 2011

slide-18
SLIDE 18

Bro Workshop 2011

18

[BroControl] > start starting manager ... starting proxy-1 ... starting worker-1 ... starting worker-2 ...

Thursday, November 17, 2011

slide-19
SLIDE 19

Bro Workshop 2011

19

[BroControl] > ? BroControl Version 0.41-128 capstats <nodes> [secs] - report interface statistics (needs capstats) check <nodes> - check configuration before installing it cleanup [--all] <nodes> - delete working dirs on nodes (flushes state) config - print broctl configuration cron - perform jobs intended to run from cron cron enable|disable|? - enable/disable "cron" jobs df - print nodes' current disk usage diag <nodes> - output diagnostics for nodes exec <shell cmd> - execute shell command on all nodes exit - exit shell install - update broctl installation/configuration netstats - print nodes' current packet counters nodes - print node configuration print <id> <nodes> - print current values of script variable at nodes peerstatus <nodes> - print current status of nodes' remote connections process <trace> [Bro options] - runs Bro offline on trace file quit - exit shell restart [--clean] <nodes> - stop and then restart processing scripts [-p|-c] <nodes> - Lists the Bro scripts the nodes will be loading start <nodes> - start processing status <nodes> - summarize node status stop <nodes> - stop processing update <nodes> - update configuration of nodes on the fly top <nodes> - show Bro processes ala top Commands provided by plugins: ps.bro [<nodes>] - Shows Bro processes currently running on nodes' systems.

Thursday, November 17, 2011