[Bro] Bro with 10Gb NIC's or higher

John Donnelly jdonnelly at dyn.com
Fri Jan 9 11:31:16 PST 2015


Hi,
What is the name of the log and where is it located at ?


On Thu, Jan 8, 2015 at 10:41 AM, Brandon Lattin <latt0050 at umn.edu> wrote:

> Turn on the capture-loss script by adding the following to your local.bro:
>
> @load misc/capture-loss
>
> On Thu, Jan 8, 2015 at 10:31 AM, John Donnelly <jdonnelly at dyn.com> wrote:
>
>> How does one know if bro is dropping (10%)  of messages ?
>>
>> On Thu, Jan 8, 2015 at 9:28 AM, Mike Patterson <
>> mike.patterson at uwaterloo.ca> wrote:
>>
>>> Succinctly, yes, although that provision is a big one.
>>>
>>> I'm running Bro on two 10 gig interfaces, an Intel X520 and an Endace
>>> DAG 9.2X2. Both perform reasonably well. Although my hardware is somewhat
>>> underspecced (Dell R710s of differing vintages), I still get tons of useful
>>> data.
>>>
>>> If your next question would be "how should I spec my hardware", that's
>>> quite difficult to answer because it depends on a lot. Get the hottest CPUs
>>> you can afford, with as many cores. If you're actually sustaining 10+Gb
>>> you'll probably want at least 20-30 cores. I'm sustaining 4.5Gb or so on 8
>>> 3.7Ghz cores, but Bro reports 10% or so loss. Note that some hardware
>>> configurations will limit the number of streams you can feed to Bro, eg my
>>> DAG can only produce 16 streams so even if I had it in a 24 core box, I'd
>>> only be making use of 2/3 of my CPU.
>>>
>>> Mike
>>>
>>> > On Jan 7, 2015, at 5:04 AM, coen bakkers <cbakkers at yahoo.de> wrote:
>>> >
>>> > Does anyone have experience with higher speed NIC's and Bro? Will it
>>> sustain 10Gb speeds or more provide the hardware is spec'd appropriately?
>>> >
>>> > regards,
>>> >
>>> > Coen
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150109/a57bd598/attachment.html 


More information about the Bro mailing list