[Bro] Bro 2.0 packets dropped
jones at tacc.utexas.edu
Sun Feb 12 07:38:45 PST 2012
There is a relative new behavior from the scanners. In order are to work around the automatic scan blocking they have increased the scan rate to so that they can scan 30K-60K address in a second. This make bro go compute bound, I think it do to creating a recorded for each connection pair, and it cannot keep up.
Using PF_RING helps but not all attach hash well and one worker can be be overwhelmed.
Has anyone else seeing this new behavior.
More information about the Bro