[Bro] Bro - a general question
Seth Hall
hall.692 at osu.edu
Thu Dec 18 12:20:49 PST 2008
On Dec 18, 2008, at 9:26 AM, Sirisha Akkala wrote:
> Is Bro 1.4 the first attempt to make a parallelizable IDS?
> Would anyone know, offhand, what is the optimum number of worker
> nodes? and i think that might change with network speed?
I think that the optimum number of worker nodes (the hosts actually
sniffing traffic) is extremely site specific. Things that can make a
big difference... Number of packets per second, total bps bandwidth,
the hardware your worker nodes are using, the analysis you're choosing
to do, etc. Those are just the few things I could think of the top of
my head right now.
I'll describe my environment as an example. During the day we
typically see upwards of 1.4 Gbps at just over 200K packets per
second. We do full traffic analysis, our bpf filter is just "ip". We
run the DPD (dynamic port detection) code, so we can identify
protocols on any port. We run most of the "http-" suite of scripts
(including my own custom scripts), causing the HTTP analyzer to be
enabled which seems to be the most intense analyzer that Bro has.
With all of this in mind, we don't drop packets for all intents and
purposes.
We are currently running 6 2.4Ghz Core2 quad workers and another 8 or
so 2.8Ghz pentium 4 workers. I consider this fairly reasonable
because we purchased all of the 1U quad core hosts new at just under
$650 each and the pentium 4s were free (but they can't process that
much traffic because they have slow memory buses).
Currently, our plan for the future is to continue purchasing more
hosts as the need (packet loss) arises. I think we should be able to
scale reasonably well for quite some time with that strategy.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list