[Bro] ServerFound notices slowed (was DNS logging)

Robin Sommer robin at icir.org
Fri Dec 4 17:33:47 PST 2009


On Fri, Dec 04, 2009 at 10:50 -0700, you wrote:

> difference.  We also moved our SPAN port from a core-to-core link to a 
> Internet-to-core link.  That may have caused a difference, but I had 
> expected to see more ServerFounds.

Are there any internal systems for which you can confirm that they
should be reported? If so, capturing a trace and running it through
Bro offline could show whether it's problem of the cluster config or
something else in Bro.

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list