Traffic on mgmt interface


#1

This was a placeholder topic for Bro before re-organizing. Keeping topic to preserve discussion.


#2

We seem to be capturing our mgmt interface traffic into Bro and ELK even though the Rocknsm config.yml and Bro node.cfg don’t have that interface set to be captured.

Is there something else somewhere that needs flippped on/off to disable capturing on the mgmt interface?

From the /etc/rocknsm/config.yml setup

interfaces that should be configured for sensor applications

rock_monifs:
- p2p1
- p1p1
- p1p2
- em4
- em3
- em2
- p2p2

And then from the Bro node.cfg in /opt/bro/etc

[rocknsm@simplerockbuild etc]$ cat node.cfg
[logger]
type=logger
host=localhost
env_vars=fanout_id=0

[manager]
type=manager
host=localhost
env_vars=fanout_id=0

[proxy-1]
type=proxy
host=localhost
env_vars=fanout_id=0

[p2p1]
type=worker
host=localhost
interface=p2p1
env_vars=fanout_id=42
[p1p1]
type=worker
host=localhost
interface=p1p1
env_vars=fanout_id=43
[p1p2]
type=worker
host=localhost
interface=p1p2
env_vars=fanout_id=44
[em4]
type=worker
host=localhost
interface=em4
env_vars=fanout_id=45
[em3]
type=worker
host=localhost
interface=em3
env_vars=fanout_id=46
[em2]
type=worker
host=localhost
interface=em2
env_vars=fanout_id=47
[p2p2]
type=worker
host=localhost
interface=p2p2
env_vars=fanout_id=48

And then our interfaces for the box, em1 - mgmt and em4 live capture:

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.1.100 netmask 255.255.255.0 broadcast 10.1.1.255
inet6 fe80::7a2b:cbff:fe26:ed20 prefixlen 64 scopeid 0x20
ether 78:2b:cb:26:ed:20 txqueuelen 1000 (Ethernet)
RX packets 2089260 bytes 222114294 (211.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 125142 bytes 58131152 (55.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

em2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether 78:2b:cb:26:ed:22 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

em3: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether 78:2b:cb:26:ed:24 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

em4: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500
inet6 fe80::7a2b:cbff:fe26:ed26 prefixlen 64 scopeid 0x20
ether 78:2b:cb:26:ed:26 txqueuelen 1000 (Ethernet)
RX packets 756768302 bytes 490958902748 (457.2 GiB)
RX errors 471645 dropped 471679 overruns 0 frame 471645
TX packets 20 bytes 378464 (369.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 15588169 bytes 33588172922 (31.2 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15588169 bytes 33588172922 (31.2 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

p1p1: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether a0:36:9f:0c:8e:f8 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

p1p2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether a0:36:9f:0c:8e:fa txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

p2p1: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether a0:36:9f:0c:90:1c txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

p2p2: flags=4355<UP,BROADCAST,PROMISC,MULTICAST> mtu 1500
ether a0:36:9f:0c:90:1e txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


#3

Wow! That’s a lot of interfaces! :slight_smile:

Did you accidentally leave the management interface in there when you deployed it the first time? It’s possible things didn’t clean up cleanly.

For bro in particular, try to see if the following provides any hits:

ps -ef | grep "bro .*em1" 

If it does, we might need to stop all the collector processes and kill any leftovers.

If it doesn’t, what make you think it’s collecting management traffic?


#4

We were seeing traffic with the source/dest ip of the mgmt interface in kibakna when the capture interfaces were down and the mgmt ip. I’ll run that cmd and go back and pull some current to get more details.