[Bro] feature proposal: bro batch processing
seth at icir.org
Wed Oct 7 07:09:38 PDT 2015
> On Oct 7, 2015, at 4:27 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
> as a follow-up to my question about "delayed bro operation" I would
> like to propose a new feature for bro. I call it batch mode and it
> helps to run bro over a large amount of pcap files.
This is a feature that we actually expect packet-bricks to be able to solve shortly. We’ve been thinking about this for a while and with packet-bricks I actually expect we’ll be able to take this even a bit further to process large sets of traces as a cluster as well. You could have packet-bricks essentially play the role of coordinator to pass packets to the processes and continue passing packets as more traces show up (I know of some people that are doing “real-time” sniffing by copying traces from a remote location to their Bro installation). This allows the Bro processes to remain up and keep their state without actually making any changes to Bro. I can see making a small change to Bro to support collecting the timestamps from the trace by having packet-bricks annotating the packets with timestamps.
It’s nice to see that other people are concretely thinking about solving this same problem. Definitely keep an eye on packet-bricks over the next couple of months. :)
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro