[Bro] Seeking hardware/OS recommendations

[Brian Tierney]

I'll add a couple more points to this thread:


Joncarlo Ruggieri wrote:
> Hi,
> 
> 
> I suppose our questions are:
> 
> 1) Which OS should we use - FreeBSD or RedHat?


I'd go with FreeBSD 6.0 too.

Also, its more efficient to combine the interfaces in the kernel
than it is to have Bro listen on 2 interfaces. You can do this with
the 'netgraph' module as follows:

#!/bin/sh
# use NETGRAPH to bond interfaces together

# ti interfaces are real interfaces which receive tap input
# outputs; ngeth0 is created by ngctl

# ng_ether must be loaded so netgraph can "see" the
# real interfaces sf2 and sf3
kldload ng_ether

# bring up the real interfaces
ifconfig ti0 promisc -arp up
ifconfig ti1 promisc -arp up

# create ngeth0 and bind em1 and em2 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect ti0: ngeth0:lower lower many0
ngctl connect ti1: ngeth0:lower lower many1

# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up


Also, be sure to check your BPF buffer size (Bro prints this to the info
file on startup) We use 4MB.


> 4) Is it reasonable to assume that the most intensive part of this process
> is the initial collection and analysis by Bro which results in the various
> Bro log files?

Some of the analyzers are quite CPU intensive as well. In particular
the HTTP analyzers, and the Signature matching

> 
> 5) Are there other hardware or OS recommendations?
> 

You should try to keep the CPU load to under 60% to avoid packet drops.

You'll probably need multiple Bro hosts to monitor everything. You can
try doing HTTP on a separate host, or try something like even src/dst
pairs on one host, and odd on another:

eg:
redef restrict_filters += { ["capture even IPs only"] = "(ip[12:4] +
ip[16:4]) & 1 == 0" };