[Bro] Filtering based on port-number

Sunjeet Singh sstattla at gmail.com
Fri Oct 8 08:08:24 PDT 2010


  I'm looking into it. Thanks for your help Peter.

Sunjeet Singh


On 10-10-08 07:59 AM, Peter Erickson wrote:
>
>>> when loading dpd you may need to change the filter to include all
>>> packets, e.g. on the command line:
>>> bro -f "tcp or udp or icmp" ...
>>>
>> Okay, so it makes sense to use capture_filter as-it-is when you are not
>> using DPD; and to disable capture_filter (using "bro -f") if you are
>> using DPD. In the latter case, you end up analyzing all packets which
>> causes an extra performance cost of about 13.8% [with given parameters,
>> Section 6.1, USENIX'06 paper].
>>
>> The same section of the paper also says that the runtime of the Bro
>> system exceeds the duration of the trace, indicating that we require
>> "multiple NIDS instances in live operation".
>>
>> "Multiple NIDS instances in live operation"- has this been discussed
>> anywhere else? With the filter disabled, this would be very useful. Is
>> it as simple as splitting up your policy file among different machines
>> running Bro or is there more to it?
>
> Someone else can correct me if I'm wrong, but I think that you are 
> needing to setup a clustered environment with managers, proxies, and 
> workers. The user manual briefly mentions something about this in the 
> installation section, but my limited understanding of how it works 
> comes from reading the scripts located at $BROHOME/share/broctl. My 
> use of bro is strictly for offline processing so I have yet to really 
> pay attention to it other than starting bro in standalone mode.




More information about the Bro mailing list