[Bro] Seeking hardware/OS recommendations
Brian Tierney
bltierney at lbl.gov
Mon Apr 10 16:15:55 PDT 2006
I'll add a couple more points to this thread:
Joncarlo Ruggieri wrote:
> Hi,
>
>
> I suppose our questions are:
>
> 1) Which OS should we use - FreeBSD or RedHat?
I'd go with FreeBSD 6.0 too.
Also, its more efficient to combine the interfaces in the kernel
than it is to have Bro listen on 2 interfaces. You can do this with
the 'netgraph' module as follows:
#!/bin/sh
# use NETGRAPH to bond interfaces together
# ti interfaces are real interfaces which receive tap input
# outputs; ngeth0 is created by ngctl
# ng_ether must be loaded so netgraph can "see" the
# real interfaces sf2 and sf3
kldload ng_ether
# bring up the real interfaces
ifconfig ti0 promisc -arp up
ifconfig ti1 promisc -arp up
# create ngeth0 and bind em1 and em2 to it
ngctl mkpeer . eiface hook ether
ngctl mkpeer ngeth0: one2many lower one
ngctl connect ti0: ngeth0:lower lower many0
ngctl connect ti1: ngeth0:lower lower many1
# bring up ngeth0 for sniffing duties
ifconfig ngeth0 -arp up
Also, be sure to check your BPF buffer size (Bro prints this to the info
file on startup) We use 4MB.
> 4) Is it reasonable to assume that the most intensive part of this process
> is the initial collection and analysis by Bro which results in the various
> Bro log files?
Some of the analyzers are quite CPU intensive as well. In particular
the HTTP analyzers, and the Signature matching
>
> 5) Are there other hardware or OS recommendations?
>
You should try to keep the CPU load to under 60% to avoid packet drops.
You'll probably need multiple Bro hosts to monitor everything. You can
try doing HTTP on a separate host, or try something like even src/dst
pairs on one host, and odd on another:
eg:
redef restrict_filters += { ["capture even IPs only"] = "(ip[12:4] +
ip[16:4]) & 1 == 0" };
More information about the Bro
mailing list