[Bro] Critical Stack requirements

Monah Baki monahbaki at gmail.com
Thu Jan 21 09:40:59 PST 2016

I subscribed to bambenekconsulting.com-DGA-Domains and the
master-public.bro.dat is 132MB in size.

I went with the most popular feed, I am open to suggestions as to what
feed to subscribe. I am interested in CNC alerts and malicious sites.

We have a 150MB pipe to the internet and around 70 users in the office.

I am running 1 worker though.


On Thu, Jan 21, 2016 at 12:27 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> How many CriticalStack feeds are you subscribing to and against how much
> bandwidth are you monitoring?
> I've heard a rough recommendation that anything more than 100k indicators
> can be pretty rough.  We run with 90k against an average 1G traffic without
> any problems (14 workers).
> -Dop
> On Thu, Jan 21, 2016 at 11:19 AM, Monah Baki <monahbaki at gmail.com> wrote:
>> Hi all,
>> Running SecurityOnion and trying to implement Criticial Stack with
>> Bro, server running 24GB RAM the system becomes unresponsive in 30
>> seconds. All memory and swap is utilized by then. Any documentation
>> that show sizing of Bro and Critical Stack?
>> If I remove criticalstack from local.bro, it's back to normal.
>> Thanks
>> Monah
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list