[Bro] question about intel files

philosnef philosnef at yahoo.com
Tue Aug 2 07:33:09 PDT 2016


We are running pfring with lb_procs=20. We have 40 cores on the box.  

    On Tuesday, August 2, 2016 10:22 AM, Seth Hall <seth at icir.org> wrote:
 

 
> On Aug 2, 2016, at 8:43 AM, philosnef <philosnef at yahoo.com> wrote:
> 
> Are intel files loaded into memory or statically evaluated?

It's loaded into memory.  It's just using normal Bro data types which have some overhead.

> We have about 2000 lines of intel (cert hash, file hash, domain) currently. This new addition would drive this up to ~35,000 lines of intel. We are trying to determine if this is practical given our current load on the box.

Generally I would expect that amount of intelligence to be fine.  It seems as though you may have some other trouble in your deployment though.

> Also, why does bro continuously chew ram up? When first started, bro eats about 80 gigs, then moves up through the day to about 120-175.]

How many workers are you running?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160802/250a548c/attachment.html 


More information about the Bro mailing list