[Bro] 10Gbps Bro deployment

John Edwards jedwards2728 at gmail.com
Sun Sep 11 02:03:50 PDT 2016


I will be deploying an instance of Bro onto two fairly powerful Ubuntu
servers that sit off a pair of 10Gbps TAP devices. I have only used Bro on
a smaller 1Gbps TAP and just deployed it after compiling the source of
2.4.1 and got the file extraction scripts to work.

What sort of deployment options should i be considering? The reason i ask
is out of the box the Bro's logs seem to be quite light weight in terms of
disk usage consumption and they are rotated and gz. I want to put together
a deployment document as to how and why i will deploy it.

As the TAPs are passive they don't aggregate, they collect both RX and TX
fiber but in separate steams so i will need to aggregate the data or bond
the interfaces. Then is it best i have Bro running on both systems and
built another as the Cluster head? to use Broctl? or having two separate
instances of bro 1 per Ubuntu server is ok?

The data will be placed back into a large splunk indexer.

Thanks for any assistance.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160911/46ef0509/attachment.html 

More information about the Bro mailing list