[Bro] question about intel files

Seth Hall seth at icir.org
Tue Aug 2 07:22:46 PDT 2016

> On Aug 2, 2016, at 8:43 AM, philosnef <philosnef at yahoo.com> wrote:
> Are intel files loaded into memory or statically evaluated?

It's loaded into memory.  It's just using normal Bro data types which have some overhead.

> We have about 2000 lines of intel (cert hash, file hash, domain) currently. This new addition would drive this up to ~35,000 lines of intel. We are trying to determine if this is practical given our current load on the box.

Generally I would expect that amount of intelligence to be fine.  It seems as though you may have some other trouble in your deployment though.

> Also, why does bro continuously chew ram up? When first started, bro eats about 80 gigs, then moves up through the day to about 120-175.]

How many workers are you running?


Seth Hall
International Computer Science Institute
