[Bro] script/cluster management practices

Matthew Monaco matt at monaco.cx
Wed Apr 29 20:08:16 PDT 2015


My colleagues and I are interested in hearing about how some of you manage your
clusters and scripts.

Are most of your scripts from the Bro git repo? Or have you collected/developed
a lot over time? Especially for the latter, how many are you running in production?

Is it typical to worry about the performance impact of adding scripts; do you
ever remove things because packet drops grow too high? Or is it just time for
more hardware?

Along those lines, how big is your cluster (nodes/workers)? I've heard roughly
100 Mbps/core. Does this mean it's not uncommon to have a 400-core cluster for 40G?

How do you test your scripts? Are you really attentive about keeping PCAPs to
trigger alerts, etc?

Many thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150429/dc838bca/attachment.bin 

More information about the Bro mailing list