[Bro] optimize running bro from PCAPs / advantage of cluster mode

Frank Meier franky.meier.1 at gmx.de
Fri Sep 22 04:15:06 PDT 2017


In contrast to the normal use case I run Bro mostly from pcaps. When
huge amounts of data (~20 TB) have to be processed, bro in standalone
mode becomes a real bottleneck. So I thought about using the bro cluster

In the past I thought, the bro workers would communicate with each
other, so when for example one worker sees upstream and the other
downstream, they would combine the information to one log. Seth told me
at BroCon, that Bro needs to be fed complete streams. To do this some
kind of load balancer is needed in front of bro. 

When I need to split the flows with a load balancer anyway, is there any
advantage of running bro in cluster mode at all? I do not need any
shared data like tables. Are there any parsers which combine the
information seen by different workers in different flows?

If cluster mode has no added value in my case, I could just load
balance my pcaps to independent bro instances which would make my setup
much easier.

Have a nice weekend!


More information about the Bro mailing list