[Bro] Have a cluster infrastructure read pcaps
william de ping
bill.de.ping at gmail.com
Mon Oct 31 04:34:25 PDT 2016
Hi Erik,
I was hoping for some solution that will keep bro process loaded and
running and feeding it with pcaps.
This way I can at least skip the reoccurring loading process.
On Mon, Oct 31, 2016 at 12:37 PM, erik clark <philosnef at gmail.com> wrote:
> If you cant run mergecap, you are going to have to do it as I posted
> elsewhere on the mailing list (few days ago?) to walk the tree (simple
> shell script). You will not be able to have Bro parse a bunch of pcaps
> continuously. You will have to call it once for every pcap you have, and
> deal with it that way.
>
> Aside from which, if you need to keep the bro logs separate for each pcap,
> even if you could process a bunch of these at once, bro is going to
> comingle your logs, which you don't seem to want.
>
> On Mon, Oct 31, 2016 at 4:25 AM, william de ping <bill.de.ping at gmail.com>
> wrote:
>
>> Hi Erik,
>>
>> I cannot use the megecap and merge my pcaps because I need to keep them
>> separated.
>> The reason for that is that I want to keep track and eventually store the
>> pcap file with its relevant log files produced from bro.
>> Therefore I want to keep the pcap file name.
>>
>> Any ideas ?
>>
>> Thanks
>>
>>
>>
>> On Sun, Oct 30, 2016 at 9:26 PM, erik clark <philosnef at gmail.com> wrote:
>>
>>> Run mergecap against your files and run bro against the one pcap file
>>> that way, Call it done.
>>>
>>>
>>>>
>>>> Hi all,
>>>>
>>>> I have an issue with processing multiple pcap files in bro.
>>>> Due to the fact that loading all of bro's scripts and infrastructure is
>>>> a
>>>> time consuming task,
>>>> processing each pcap file takes longer than it should.
>>>>
>>>> Is there any way that a bro cluster could be up and running and have
>>>> it's
>>>> workers process the pcap files ?
>>>>
>>>> btw, it needs to be a pcap file and not live capture using tcpreplay for
>>>> transmitting them because of time issues (some sessions might be very
>>>> long
>>>> and bro will process the pcap file faster than retransmitting the same
>>>> pcap
>>>> file).
>>>>
>>>> If anyone can think of a better way to accomplish it, I am free for
>>>> offers
>>>> :)
>>>>
>>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161031/e903bd54/attachment-0001.html
More information about the Bro
mailing list