[Bro] ServerFound notices slowed (was DNS logging)
robin at icir.org
Fri Dec 4 17:33:47 PST 2009
On Fri, Dec 04, 2009 at 10:50 -0700, you wrote:
> difference. We also moved our SPAN port from a core-to-core link to a
> Internet-to-core link. That may have caused a difference, but I had
> expected to see more ServerFounds.
Are there any internal systems for which you can confirm that they
should be reported? If so, capturing a trace and running it through
Bro offline could show whether it's problem of the cluster config or
something else in Bro.
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro