[Bro] several questions for introducing Bro to commercial system
Johanna Amann
johanna at icir.org
Tue Mar 14 11:13:42 PDT 2017
Hi,
> 1. Bro stores captured data into XXX.log files(XXX is http for example).
> In this case, how much data does Haka store into local file system per
> transaction? If you have any reference data, please let me know.
I think the best way to answer this is to just try it out for yourself
with some Bro log files. The size of log files generally also differs a
lot; some of them have much londer lines than others.
> 2. When Bro introduced machine has broken and fixed it, is it possible
> to continue the process(packet capturing process and storing data
> process into local file system) using the fixed machine without any
> problems?
I am not 100% sure what you mean here. If a maching running a few worker
processes fails, they can be restarted later and will just resume sending
data to the manager (assuming the installation is still intact). Local
held state will be lost however (Bro does not tend to write internal
variables to disk).
> 3. What is the market share in the network forensic domain?
I don't think we have any information on this.
Johanna
More information about the Bro
mailing list