[Bro] Critical Stack requirements

Liam Randall liam.randall at gmail.com
Thu Jan 21 10:13:01 PST 2016 

Hey Baki,

Using the "Metrics" tab you can analyze the size in "count" of indicators
by collection over time.

You may want to limit your deployments to between 100-200k indicators
depending on cluster size, traffic, traffic types, etc.

There are three bambenek feeds available:
-- precomputed dga feed (900k + elements)
-- C&C IPs (260+)
-- C&C Domains (330+)

Try building a collection with fewer items on it and then issuing an update.

If you look under your "collections" tab the "status" column will give you
some feedback about the size of your collection.


Please feel free to open a ticket with us directly if you have any further
problems.

V/r,

Liam Randall








On Thu, Jan 21, 2016 at 12:40 PM, Monah Baki <monahbaki at gmail.com> wrote:

> I subscribed to bambenekconsulting.com-DGA-Domains and the
> master-public.bro.dat is 132MB in size.
>
> I went with the most popular feed, I am open to suggestions as to what
> feed to subscribe. I am interested in CNC alerts and malicious sites.
>
> We have a 150MB pipe to the internet and around 70 users in the office.
>
> I am running 1 worker though.
>
> Thanks
>
>
> On Thu, Jan 21, 2016 at 12:27 PM, Mike Dopheide <dopheide at gmail.com>
> wrote:
> > How many CriticalStack feeds are you subscribing to and against how much
> > bandwidth are you monitoring?
> >
> > I've heard a rough recommendation that anything more than 100k indicators
> > can be pretty rough.  We run with 90k against an average 1G traffic
> without
> > any problems (14 workers).
> >
> > -Dop
> >
> > On Thu, Jan 21, 2016 at 11:19 AM, Monah Baki <monahbaki at gmail.com>
> wrote:
> >>
> >> Hi all,
> >>
> >>
> >> Running SecurityOnion and trying to implement Criticial Stack with
> >> Bro, server running 24GB RAM the system becomes unresponsive in 30
> >> seconds. All memory and swap is utilized by then. Any documentation
> >> that show sizing of Bro and Critical Stack?
> >>
> >> If I remove criticalstack from local.bro, it's back to normal.
> >>
> >> Thanks
> >> Monah
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160121/025bdc14/attachment.html

More information about the Bro mailing list