[Bro] Cluster Best Practices

Seth Hall seth at icir.org
Wed Sep 24 19:31:25 PDT 2014


On Sep 24, 2014, at 10:20 PM, Dave Crawford <bro at pingtrip.com> wrote:

> Thanks for the feedback Seth. In the scenario of running separate clusters in each data center; is it possible to sync Intel between clusters?

Unfortunately not without some work.

> For example, inbound email is load balanced across multiple data centers, as well as outbound client internet traffic. My goal is to extract URLs from inbound emails and push them into the Intel framework for alerting when outbound traffic matches (e.g. user clicked a link in an email), would that require all data centers to be in a single cluster?

This sort of stuff is one of the many reasons we've been talking about doing hierarchical Bro clusters because it should make it straight forward to actually maintain intelligence data like you'd like to.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list