[Bro] delayed bro operation
Frank Meier
franky.meier.1 at gmx.de
Fri Apr 24 02:16:11 PDT 2015
Hi.
A policy forces me to run bro in a separate network. So the captured
PCAPs are
transfered to the bro network for logging purposes. How would I handle
delays
in feeding bro with the PCAPS? Would connections spanning multiple
PCAPs be a
problem?
My first idea is to crank up all the timeouts like this:
redef tcp_inactivity_timeout = 5 days;
redef udp_inactivity_timeout = 5 days;
redef icmp_inactivity_timeout = 5 days;
redef default_file_timeout_interval = 5 days;
What performance penalty will I suffer? I guess the RAM usage will
grow,
because connections, which were not cleanly terminated, would hang
around
for a long time.
Are there any examples for this kind of setup? How would you search for
this?
Have a nice weekend!
Franky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150424/40369fc7/attachment.html
More information about the Bro
mailing list