[Bro] Critical Stack requirements

Monah Baki monahbaki at gmail.com
Thu Jan 21 09:40:59 PST 2016


I subscribed to bambenekconsulting.com-DGA-Domains and the
master-public.bro.dat is 132MB in size.

I went with the most popular feed, I am open to suggestions as to what
feed to subscribe. I am interested in CNC alerts and malicious sites.

We have a 150MB pipe to the internet and around 70 users in the office.

I am running 1 worker though.

Thanks


On Thu, Jan 21, 2016 at 12:27 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> How many CriticalStack feeds are you subscribing to and against how much
> bandwidth are you monitoring?
>
> I've heard a rough recommendation that anything more than 100k indicators
> can be pretty rough.  We run with 90k against an average 1G traffic without
> any problems (14 workers).
>
> -Dop
>
> On Thu, Jan 21, 2016 at 11:19 AM, Monah Baki <monahbaki at gmail.com> wrote:
>>
>> Hi all,
>>
>>
>> Running SecurityOnion and trying to implement Criticial Stack with
>> Bro, server running 24GB RAM the system becomes unresponsive in 30
>> seconds. All memory and swap is utilized by then. Any documentation
>> that show sizing of Bro and Critical Stack?
>>
>> If I remove criticalstack from local.bro, it's back to normal.
>>
>> Thanks
>> Monah
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>


More information about the Bro mailing list