[Bro] delayed bro operation

Seth Hall seth at icir.org
Fri Apr 24 07:23:50 PDT 2015

> On Apr 24, 2015, at 5:16 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
> A policy forces me to run bro in a separate network. So the captured PCAPs are
> transfered to the bro network for logging purposes. How would I handle delays
> in feeding bro with the PCAPS? Would connections spanning multiple PCAPs be a
> problem?

This is a problem that PacketBricks[1] will be able to solve eventually.  It’s not there yet, but eventually you’ll be able to create a load balancing architecture with persistent Bro/Snort/Suricata/etc processes and tell PacketBricks to read PCAPs as you get them in place (and, yes, I did just say clustered PCAP processing!).  Unfortunately this scenario is not quite ready in PacketBricks.

> redef tcp_inactivity_timeout        = 5 days;
> redef udp_inactivity_timeout        = 5 days;
> redef icmp_inactivity_timeout       = 5 days;
> redef default_file_timeout_interval = 5 days;

You could always try, but I get the sense you won’t be terribly happy with the result.

1. https://github.com/bro/packet-bricks


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150424/c15c412e/attachment.bin 

More information about the Bro mailing list