[Bro] Bro clustered limit load
David
elhijo at 0lim.net
Mon Jun 13 05:48:18 PDT 2016
Hi,
I'd like to know if there is a way to select which script a worker is
loading.
The goal is to limit the packets that needs to be analyzed.
On a dedicated interface I've mirrored traffic going to one of our
server which has, along other protocols, tones of dns and nfs traffic,
I'm only interested in dns traffic.
Nfs can be bandwidth consuming (up to 600mbps with capstats) so I'd like
Bro to only analyses dns packets.
Can we tell Bro to only load dns inspector for a given interface/worker ?
I've also think of firewalling everything except udp/53 but i would have
to give network interface an ip address....
Thanks,
David
More information about the Bro
mailing list