[Bro] question about intel files
seth at icir.org
Tue Aug 2 07:22:46 PDT 2016
> On Aug 2, 2016, at 8:43 AM, philosnef <philosnef at yahoo.com> wrote:
> Are intel files loaded into memory or statically evaluated?
It's loaded into memory. It's just using normal Bro data types which have some overhead.
> We have about 2000 lines of intel (cert hash, file hash, domain) currently. This new addition would drive this up to ~35,000 lines of intel. We are trying to determine if this is practical given our current load on the box.
Generally I would expect that amount of intelligence to be fine. It seems as though you may have some other trouble in your deployment though.
> Also, why does bro continuously chew ram up? When first started, bro eats about 80 gigs, then moves up through the day to about 120-175.]
How many workers are you running?
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro