[Bro] Filtering based on port-number
Peter Erickson
redlamb19 at gmail.com
Fri Oct 8 07:59:38 PDT 2010
>> when loading dpd you may need to change the filter to include all
>> packets, e.g. on the command line:
>> bro -f "tcp or udp or icmp" ...
>>
> Okay, so it makes sense to use capture_filter as-it-is when you are not
> using DPD; and to disable capture_filter (using "bro -f") if you are
> using DPD. In the latter case, you end up analyzing all packets which
> causes an extra performance cost of about 13.8% [with given parameters,
> Section 6.1, USENIX'06 paper].
>
> The same section of the paper also says that the runtime of the Bro
> system exceeds the duration of the trace, indicating that we require
> "multiple NIDS instances in live operation".
>
> "Multiple NIDS instances in live operation"- has this been discussed
> anywhere else? With the filter disabled, this would be very useful. Is
> it as simple as splitting up your policy file among different machines
> running Bro or is there more to it?
Someone else can correct me if I'm wrong, but I think that you are
needing to setup a clustered environment with managers, proxies, and
workers. The user manual briefly mentions something about this in the
installation section, but my limited understanding of how it works
comes from reading the scripts located at $BROHOME/share/broctl. My
use of bro is strictly for offline processing so I have yet to really
pay attention to it other than starting bro in standalone mode.
More information about the Bro
mailing list