[Bro] Bro with 10Gb NIC's or higher

Oehlert, Samuel soehlert at illinois.edu
Fri Jan 9 13:02:41 PST 2015


Capture_loss.log and it should be with all your other logs once you turn
it on. Remember to install, check, and restart brocontrol to get it
turned on.

On 1/9/15, 1:31 PM, John Donnelly wrote:
> Hi,
> What is the name of the log and where is it located at ?
>
>
> On Thu, Jan 8, 2015 at 10:41 AM, Brandon Lattin <latt0050 at umn.edu
> <mailto:latt0050 at umn.edu>> wrote:
>
>     Turn on the capture-loss script by adding the following to your
>     local.bro:
>
>     @load misc/capture-loss
>
>     On Thu, Jan 8, 2015 at 10:31 AM, John Donnelly <jdonnelly at dyn.com
>     <mailto:jdonnelly at dyn.com>> wrote:
>
>         How does one know if bro is dropping (10%)  of messages ? 
>
>         On Thu, Jan 8, 2015 at 9:28 AM, Mike Patterson
>         <mike.patterson at uwaterloo.ca
>         <mailto:mike.patterson at uwaterloo.ca>> wrote:
>
>             Succinctly, yes, although that provision is a big one.
>
>             I'm running Bro on two 10 gig interfaces, an Intel X520
>             and an Endace DAG 9.2X2. Both perform reasonably well.
>             Although my hardware is somewhat underspecced (Dell R710s
>             of differing vintages), I still get tons of useful data.
>
>             If your next question would be "how should I spec my
>             hardware", that's quite difficult to answer because it
>             depends on a lot. Get the hottest CPUs you can afford,
>             with as many cores. If you're actually sustaining 10+Gb
>             you'll probably want at least 20-30 cores. I'm sustaining
>             4.5Gb or so on 8 3.7Ghz cores, but Bro reports 10% or so
>             loss. Note that some hardware configurations will limit
>             the number of streams you can feed to Bro, eg my DAG can
>             only produce 16 streams so even if I had it in a 24 core
>             box, I'd only be making use of 2/3 of my CPU.
>
>             Mike
>
>             > On Jan 7, 2015, at 5:04 AM, coen bakkers
>             <cbakkers at yahoo.de <mailto:cbakkers at yahoo.de>> wrote:
>             >
>             > Does anyone have experience with higher speed NIC's and
>             Bro? Will it sustain 10Gb speeds or more provide the
>             hardware is spec'd appropriately?
>             >
>             > regards,
>             >
>             > Coen
>             > _______________________________________________
>             > Bro mailing list
>             > bro at bro-ids.org <mailto:bro at bro-ids.org>
>             > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>             _______________________________________________
>             Bro mailing list
>             bro at bro-ids.org <mailto:bro at bro-ids.org>
>             http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>         _______________________________________________
>         Bro mailing list
>         bro at bro-ids.org <mailto:bro at bro-ids.org>
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
>     -- 
>     Brandon Lattin
>     Security Analyst
>     University of Minnesota - University Information Security
>     Office: 612-626-6672 <tel:612-626-6672>
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Sam Oehlert
Security Engineer
NCSA
soehlert at illinois.edu
(217)300-1076

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150109/3d24b86a/attachment-0001.html 


More information about the Bro mailing list