[Bro] question about intel files
philosnef at yahoo.com
Tue Aug 2 07:33:09 PDT 2016
We are running pfring with lb_procs=20. We have 40 cores on the box.
On Tuesday, August 2, 2016 10:22 AM, Seth Hall <seth at icir.org> wrote:
> On Aug 2, 2016, at 8:43 AM, philosnef <philosnef at yahoo.com> wrote:
> Are intel files loaded into memory or statically evaluated?
It's loaded into memory. It's just using normal Bro data types which have some overhead.
> We have about 2000 lines of intel (cert hash, file hash, domain) currently. This new addition would drive this up to ~35,000 lines of intel. We are trying to determine if this is practical given our current load on the box.
Generally I would expect that amount of intelligence to be fine. It seems as though you may have some other trouble in your deployment though.
> Also, why does bro continuously chew ram up? When first started, bro eats about 80 gigs, then moves up through the day to about 120-175.]
How many workers are you running?
International Computer Science Institute
(Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro