[Bro] delayed bro operation

Frank Meier franky.meier.1 at gmx.de
Mon Apr 27 00:29:43 PDT 2015


On Fr, Apr 24, 2015 at 4:23 , Seth Hall <seth at icir.org> wrote:
>>  On Apr 24, 2015, at 5:16 AM, Frank Meier <franky.meier.1 at gmx.de> 
>> wrote:
>>  A policy forces me to run bro in a separate network. So the 
>> captured PCAPs are
>>  transfered to the bro network for logging purposes. How would I 
>> handle delays
>>  in feeding bro with the PCAPS? Would connections spanning multiple 
>> PCAPs be a
>>  problem?
> This is a problem that PacketBricks[1] will be able to solve 
> eventually.  It’s not there yet, but eventually you’ll be able to 
> create a load balancing architecture with persistent 
> Bro/Snort/Suricata/etc processes and tell PacketBricks to read PCAPs 
> as you get them in place (and, yes, I did just say clustered PCAP 
> processing!).  Unfortunately this scenario is not quite ready in 
> PacketBricks.

Thanks, I will have a look into that!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150427/457862ab/attachment.html 

More information about the Bro mailing list