[Bro] Filtering based on port-number
Sunjeet Singh
sstattla at gmail.com
Fri Oct 8 08:37:15 PDT 2010
Got it! Thanks Seth,
Sunjeet Singh
On 10-10-08 08:33 AM, Seth Hall wrote:
> The best documentation for this can currently be found here:
>
> http://www.icir.org/robin/bro-cluster/
>
> .Seth
>
> On Oct 8, 2010, at 11:08 AM, Sunjeet Singh wrote:
>
>> I'm looking into it. Thanks for your help Peter.
>>
>> Sunjeet Singh
>>
>>
>> On 10-10-08 07:59 AM, Peter Erickson wrote:
>>>>> when loading dpd you may need to change the filter to include all
>>>>> packets, e.g. on the command line:
>>>>> bro -f "tcp or udp or icmp" ...
>>>>>
>>>> Okay, so it makes sense to use capture_filter as-it-is when you are not
>>>> using DPD; and to disable capture_filter (using "bro -f") if you are
>>>> using DPD. In the latter case, you end up analyzing all packets which
>>>> causes an extra performance cost of about 13.8% [with given parameters,
>>>> Section 6.1, USENIX'06 paper].
>>>>
>>>> The same section of the paper also says that the runtime of the Bro
>>>> system exceeds the duration of the trace, indicating that we require
>>>> "multiple NIDS instances in live operation".
>>>>
>>>> "Multiple NIDS instances in live operation"- has this been discussed
>>>> anywhere else? With the filter disabled, this would be very useful. Is
>>>> it as simple as splitting up your policy file among different machines
>>>> running Bro or is there more to it?
>>> Someone else can correct me if I'm wrong, but I think that you are
>>> needing to setup a clustered environment with managers, proxies, and
>>> workers. The user manual briefly mentions something about this in the
>>> installation section, but my limited understanding of how it works
>>> comes from reading the scripts located at $BROHOME/share/broctl. My
>>> use of bro is strictly for offline processing so I have yet to really
>>> pay attention to it other than starting bro in standalone mode.
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list