[Bro] delayed bro operation
seth at icir.org
Fri Apr 24 07:23:50 PDT 2015
> On Apr 24, 2015, at 5:16 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
> A policy forces me to run bro in a separate network. So the captured PCAPs are
> transfered to the bro network for logging purposes. How would I handle delays
> in feeding bro with the PCAPS? Would connections spanning multiple PCAPs be a
This is a problem that PacketBricks will be able to solve eventually. It’s not there yet, but eventually you’ll be able to create a load balancing architecture with persistent Bro/Snort/Suricata/etc processes and tell PacketBricks to read PCAPs as you get them in place (and, yes, I did just say clustered PCAP processing!). Unfortunately this scenario is not quite ready in PacketBricks.
> redef tcp_inactivity_timeout = 5 days;
> redef udp_inactivity_timeout = 5 days;
> redef icmp_inactivity_timeout = 5 days;
> redef default_file_timeout_interval = 5 days;
You could always try, but I get the sense you won’t be terribly happy with the result.
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150424/c15c412e/attachment.bin
More information about the Bro