[Bro] Critical Stack requirements

Paul Halliday paul.halliday at gmail.com
Thu Jan 21 10:06:47 PST 2016 

Mike is correct.

When you create a collection the status indicator will actually warn your
if the collection has too many indicators.

Try sorting the feeds by "Most Subscribers" and cherry pick from there. You
can also try searching for terms like C&C, Botnet, Malware, Malicious etc
via the search box at the top of the feeds page.

As for why have a feed with 700K+ indicators? There are quite a few folks
that use the feeds outside of tools like Bro that consume and use all
available indicators.

HTH.


On Thu, Jan 21, 2016 at 1:40 PM, Monah Baki <monahbaki at gmail.com> wrote:

> I subscribed to bambenekconsulting.com-DGA-Domains and the
> master-public.bro.dat is 132MB in size.
>
> I went with the most popular feed, I am open to suggestions as to what
> feed to subscribe. I am interested in CNC alerts and malicious sites.
>
> We have a 150MB pipe to the internet and around 70 users in the office.
>
> I am running 1 worker though.
>
> Thanks
>
>
> On Thu, Jan 21, 2016 at 12:27 PM, Mike Dopheide <dopheide at gmail.com>
> wrote:
> > How many CriticalStack feeds are you subscribing to and against how much
> > bandwidth are you monitoring?
> >
> > I've heard a rough recommendation that anything more than 100k indicators
> > can be pretty rough.  We run with 90k against an average 1G traffic
> without
> > any problems (14 workers).
> >
> > -Dop
> >
> > On Thu, Jan 21, 2016 at 11:19 AM, Monah Baki <monahbaki at gmail.com>
> wrote:
> >>
> >> Hi all,
> >>
> >>
> >> Running SecurityOnion and trying to implement Criticial Stack with
> >> Bro, server running 24GB RAM the system becomes unresponsive in 30
> >> seconds. All memory and swap is utilized by then. Any documentation
> >> that show sizing of Bro and Critical Stack?
> >>
> >> If I remove criticalstack from local.bro, it's back to normal.
> >>
> >> Thanks
> >> Monah
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Paul Halliday
http://www.pintumbler.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160121/6fe30439/attachment.html

More information about the Bro mailing list