[Bro] Questions about Bro clusters deployments
C. L. Martinez
carlopmart at gmail.com
Thu Feb 6 02:50:12 PST 2014
On Tue, Feb 4, 2014 at 10:28 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
> Hi all,
> I am thinking to install some bro sensors in our infrastructure under
> CentOS and FreeBSD hosts using the new release 2.2. My idea is to use
> bro cluster features to setup centralized configs and logs. But after
> reading doc section about this type of deployment I have some doubts:
> a) Policy rules: Do they need to be stored in the manager or can I
> deploy different rules for every bro worker? For example, if I setup
> worker A and worker B and I will to deploy only 10 rules for worker A
> and 20 for worker B, how can I do?
> b) About *.cfg files: Do I need to configure these files on every
> worker or only on the manager? But if it is only on the manger side
> and workers needs to monitor different networks as a internal
> networks, how can I segregate this?
> c) About bpf filters: In this new release (2.2), Is it possible to
> add bpf filters out-of-the-box or do I need to implement customized
> scripts, like for example securityonion does?
Please, any input?
More information about the Bro