[Bro] Network taps necessary for Bro

Mike Dopheide dopheide at gmail.com
Tue Jul 26 09:57:38 PDT 2016


Granted, budget will enter into the equation, but I would highly recommend
following LBL's model.  I'd feed a passive 100G tap into a smarter tap/agg
switch before your Bro cluster.  If you setup shunting for elephant flows
you'll likely be able to get by with a small Bro cluster simply by
filtering out that large traffic.  This is especially true for typical
ScienceDMZ traffic.  You'll want a tap/agg switch that can also load
balance to the tool ports.

If you were to choose an Arista switch, the shunting code already exists.
https://github.com/ncsa/dumbno

-Dop


On Tue, Jul 26, 2016 at 8:24 AM, Daniel Manzo <daniel.manzo at bayer.com>
wrote:

> Hi all,
>
>
>
> My team is looking into using the Bro IDS for monitoring of a science DMZ
> with a 100 Gbps network. I was wondering how to choose which network tap(s)
> is necessary for this type of connection and if you have any
> recommendations/methods for setting up the hardware for Bro. I have been
> looking at the passive Ixia Flex taps, but after reading the paper on
> bro.org about the 100G connection in Berkeley Labs, I’m not so sure this
> is the right direction.
>
>
>
> Thanks for the help,
>
> Daniel Manzo
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160726/5ba8cf82/attachment-0001.html 


More information about the Bro mailing list