[Bro] Bro clustered limit load
Hosom, Stephen M
hosom at battelle.org
Mon Jun 13 07:08:55 PDT 2016
David,
You could apply a BPF in Bro.
https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
The packets will still hit the interface, but Bro will only monitor the packets based on the BPF.
________________________________________
From: bro-bounces at bro.org [bro-bounces at bro.org] on behalf of David [elhijo at 0lim.net]
Sent: Monday, June 13, 2016 8:48 AM
To: bro at bro.org
Subject: [Bro] Bro clustered limit load
Hi,
I'd like to know if there is a way to select which script a worker is
loading.
The goal is to limit the packets that needs to be analyzed.
On a dedicated interface I've mirrored traffic going to one of our
server which has, along other protocols, tones of dns and nfs traffic,
I'm only interested in dns traffic.
Nfs can be bandwidth consuming (up to 600mbps with capstats) so I'd like
Bro to only analyses dns packets.
Can we tell Bro to only load dns inspector for a given interface/worker ?
I've also think of firewalling everything except udp/53 but i would have
to give network interface an ip address....
Thanks,
David
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list