[Bro] BRO performance in a real world

Michal Purzynski michal at rsbac.org
Mon Apr 22 12:07:18 PDT 2013


Hi.

How's the BRO real world performance? You know, 10Gbit links and up. How 
many workers do I need for every 1Gbit of traffic (sure, it depends on 
the rules heavily)?

Or just how much traffic can I expect a single worker to handle? How 
about the memory?

That's what I have here:

Intel(R) Xeon(R) CPU E5-2620 @ 2.00GHz x 2 so it gives 24 threads with 
HT enabled.

Also, I have 64GB of RAM in each NSM sensor. Expected traffc? A few 
Gbit/sec, depending on a sensor location.

Do you have some real world examples, such as "we have server with <CPU> 
and <mem> and it handles Gbit/sec of traffic on average/peak"

I know that's a lot of questions, but trying to establish a baseline and 
do some capacity planning here :) And there's nothing in google, apart 
from some (i guess old) statement, that a single bro process can handle 
up to 80Mbit/sec.



More information about the Bro mailing list