[Bro] delayed bro operation

Frank Meier franky.meier.1 at gmx.de
Fri Apr 24 02:16:11 PDT 2015


Hi.

A policy forces me to run bro in a separate network. So the captured 
PCAPs are 
transfered to the bro network for logging purposes. How would I handle 
delays
in feeding bro with the PCAPS? Would connections spanning multiple 
PCAPs be a
problem?

My first idea is to crank up all the timeouts like this:

redef tcp_inactivity_timeout        = 5 days;
redef udp_inactivity_timeout        = 5 days;
redef icmp_inactivity_timeout       = 5 days;
redef default_file_timeout_interval = 5 days;

What performance penalty will I suffer? I guess the RAM usage will 
grow, 
because connections, which were not cleanly terminated, would hang 
around 
for a long time.

Are there any examples for this kind of setup? How would you search for 
this?

Have a nice weekend!

Franky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150424/40369fc7/attachment.html 


More information about the Bro mailing list