[Bro] ScanSummary intervals
Robin Sommer
robin at icir.org
Tue Feb 7 19:19:57 PST 2006
On Tue, Feb 07, 2006 at 11:50 -0800, Joncarlo Ruggieri wrote:
> 1) Is there something else which might override the report_peer_scan
> thresholds?
If I recall correctly, a source is no longer reported when it has
performed shut_down_thresh connection attempts (default: 100).
Instead Bro then just generates a ScanSummary after 1 day or at
termination, whatever comes first.
> 2) Should checkpointing Bro reset the ScanSummary count, or will we need
> to force that?
It will be reset; by default Bro does not carry state across
restarts (it may though by declaring things as &persistent).
Robin
P.S.: You wrote, you're checkpointing every 3 hours. Do you do this
primarily to avoid running out of memory? If yes: in newer
(development) versions, we've greatly improved the state management,
so this may become unneccesarry eventually.
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list