[Bro] Bro performance issues
Seth Hall
seth at icir.org
Mon Oct 31 10:33:03 PDT 2011
On Oct 31, 2011, at 1:08 PM, Tomer Teller wrote:
> Do you mean PF_RING with front-end solution such as click router?
> Is it possible to run everything on a single machine?
Martin is referring to clustering in PF_RING. It will split your traffic into bidirectional flows within your kernel and it easy to configure with Bro 2.0-beta (I wouldn't try it with 1.5, it would be a bit of a mess). If you're running with broctl it will mostly just work with PF_RING out of the box including clustering, you just need to make sure you're building against the correct libpcap using PF_RING's libpcap wrapper and then all of your workers you configure in broctl's node.cfg file should sniff the same interface.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list