From jdugan at ncsa.uiuc.edu  Tue Jan  2 17:57:59 2001
From: jdugan at ncsa.uiuc.edu (Jon Dugan)
Date: Tue, 2 Jan 2001 19:57:59 -0600
Subject: bro machines
Message-ID: <20010102195759.A29404@ncsa.uiuc.edu>

Hello,

  I am about to build three Bro machines, and I'm trying to determine what
  hardware to buy.  These machines will all monitor gigabit ethernet links
  and will be running FreeBSD-STABLE.

  Here's my first pass:

    800 MHz PIII or better
    at least 2 64-bit PCI slots
    256 MB RAM
    3 x 40GB+ ATA100 HD
    ATAPI CD-ROM
    10/100 Ethernet 
    2 x SysKonnect SK-9842 SK-NET GE-SX
    lame AGP SVGA card  

  I'm a little bit uncertain about the IDE disk, but the 40GB disks are less
  than $200 each -- I can have over 100GB of logging space this way.  I'm
  normally a SCSI bigot, but lately I'm not sure it's worth it in all
  applications.

  Are the SysKonnect cards the way to go?  

  Comments?  Suggestions?

Jon
-- 
Jon Dugan             |  Senior Network Engineer, NCSA Network Development
jdugan at ncsa.uiuc.edu  |  57C CAB, 605 E Springfield, Champaign, IL 61820
217/244-7715          |  http://www.ncsa.uiuc.edu/people/jdugan


From vern at ee.lbl.gov  Sun Jan  7 01:28:17 2001
From: vern at ee.lbl.gov (Vern Paxson)
Date: Sun, 07 Jan 2001 01:28:17 PST
Subject: bro machines
In-Reply-To: Your message of Tue, 02 Jan 2001 19:57:59 PST.
Message-ID: <200101070928.f079SHQ01933@daffy.ee.lbl.gov>

>   I am about to build three Bro machines, and I'm trying to determine what
>   hardware to buy.  These machines will all monitor gigabit ethernet links
>   and will be running FreeBSD-STABLE.
> 
>   Here's my first pass:
> 
>     800 MHz PIII or better
>     at least 2 64-bit PCI slots
>     256 MB RAM
>     3 x 40GB+ ATA100 HD
>     ATAPI CD-ROM
>     10/100 Ethernet 
>     2 x SysKonnect SK-9842 SK-NET GE-SX
>     lame AGP SVGA card  
> 
>   I'm a little bit uncertain about the IDE disk, but the 40GB disks are less
>   than $200 each -- I can have over 100GB of logging space this way.  I'm
>   normally a SCSI bigot, but lately I'm not sure it's worth it in all
>   applications.

All in all, that system looks good.  The key question in general is just
how large a traffic stream will you be monitoring.  The above should be
fine for a good-sized site (say 1000 hosts, in my experience).  Much larger
and you'll want to increase the RAM.

>   Are the SysKonnect cards the way to go?  

That's what we use, generally to good effect.  Others may work fine,
too, I don't know.

		Vern


From vern at ee.lbl.gov  Mon Jan  8 00:57:26 2001
From: vern at ee.lbl.gov (Vern Paxson)
Date: Mon, 08 Jan 2001 00:57:26 PST
Subject: Pattern matching ?
In-Reply-To: Your message of Wed, 20 Dec 2000 17:48:15 PST.
Message-ID: <200101080857.f088vRG04396@daffy.ee.lbl.gov>

(Sorry it took me so long to reply - your mail slipped between the cracks
 during the holidays)

> It seem to be hard to do pattern-matching in Bro to find out a pattern in
> normal packets (packets that don't init/terminate an event; or aren't in
> part of protocol's command like "STOR xxx" in FTP but in content of file
> xxx). For example, I want to alert any attemp of using command "su" on a
> Telnet session; alert if any file uploaded via FTP that contains pattern of
> a Worm...

For Telnet sessions, this is easy - do the matching in login_input_line
or login_output_line.  For files uploaded via FTP, this isn't in general
possible, since Bro relies significantly on filtering to reduce its
processing load, and to capture uploaded files would require processing
nearly the entire traffic stream.

		Vern