[Bro] delayed bro operation
franky.meier.1 at gmx.de
Fri Apr 24 02:16:11 PDT 2015
A policy forces me to run bro in a separate network. So the captured
transfered to the bro network for logging purposes. How would I handle
in feeding bro with the PCAPS? Would connections spanning multiple
PCAPs be a
My first idea is to crank up all the timeouts like this:
redef tcp_inactivity_timeout = 5 days;
redef udp_inactivity_timeout = 5 days;
redef icmp_inactivity_timeout = 5 days;
redef default_file_timeout_interval = 5 days;
What performance penalty will I suffer? I guess the RAM usage will
because connections, which were not cleanly terminated, would hang
for a long time.
Are there any examples for this kind of setup? How would you search for
Have a nice weekend!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro