[Bro] Network taps for Bro

Daniel Manzo daniel.manzo at bayer.com
Wed Aug 3 12:39:33 PDT 2016

It is a single 10G connection right now, but possibly expanding in the future. I'm just focusing on the single 10G at the moment, so I think I would be able to connect right to the bro box, like you mentioned. I'll look more into tap aggregation/load-balancing later on.


From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Gary Faulkner
Sent: Wednesday, August 03, 2016 3:29 PM
To: bro at bro.org
Subject: Re: [Bro] Network taps for Bro

Another thing to consider is if it is a single 10G connection you may be able to go right to the bro box from the tap, but if you have multiple 10G connections, or need to send the signal to monitoring tools on multiple boxes you may also need to look into a tap aggregator/ load-balancer as well. If the connection is running on a specific CWDM/DWDM wavelength you may also need to check that your NICs and/or tap aggregator support the proper optics as not all do.
On 8/3/16 2:02 PM, James Eyrich wrote:

Bro doesnt care about any of that.

The optics going into your tap aggregator or direct into to the bro

nodes need to match what ever you are using for the connection

same for the splitter

regarding splitter ratios  - it depends what your light budget regarding

the receive sensitivity on the ends of the actual connection and the

optics feeding the bro system

Off the top of my head I was thinking 50/50 is good for data center and

70/30 for WAN

if you are running out of light once the splitter is in place you might

have to move to higher powered optics all around.

One thing we ran into is some of the "lite" optics for use in data

centers also have reduced sensitivity in addition to lower send power.

On 8/3/2016 1:37 PM, Daniel Manzo wrote:

Hi all,

My team is looking into using the Bro IDS for monitoring of a science

DMZ with a 10 Gbps network. I was wondering how to choose which

network tap(s) is necessary for this type of connection and if you

have any recommendations/methods for setting up the hardware for Bro.

I have been looking at the passive Ixia Flex taps, specifically the LC

10G SM 50/50 split tap. Will single mode (SM) versus multi-mode (MM)

make a difference for Bro? And does Bro require a 50/50 ratio, or

would I be able to get away with a different ratio?

Thanks for the help,

Daniel Manzo


Bro mailing list

bro at bro-ids.org<mailto:bro at bro-ids.org>



Bro mailing list

bro at bro-ids.org<mailto:bro at bro-ids.org>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160803/10c1e2f8/attachment-0001.html 

More information about the Bro mailing list