[Bro] 10Gbps Bro deployment
jedwards2728 at gmail.com
Sun Sep 11 02:03:50 PDT 2016
I will be deploying an instance of Bro onto two fairly powerful Ubuntu
servers that sit off a pair of 10Gbps TAP devices. I have only used Bro on
a smaller 1Gbps TAP and just deployed it after compiling the source of
2.4.1 and got the file extraction scripts to work.
What sort of deployment options should i be considering? The reason i ask
is out of the box the Bro's logs seem to be quite light weight in terms of
disk usage consumption and they are rotated and gz. I want to put together
a deployment document as to how and why i will deploy it.
As the TAPs are passive they don't aggregate, they collect both RX and TX
fiber but in separate steams so i will need to aggregate the data or bond
the interfaces. Then is it best i have Bro running on both systems and
built another as the Cluster head? to use Broctl? or having two separate
instances of bro 1 per Ubuntu server is ok?
The data will be placed back into a large splunk indexer.
Thanks for any assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro