(Sorry it took me so long to reply - your mail slipped between the cracks
during the holidays)
> It seem to be hard to do pattern-matching in Bro to find out a pattern in
> normal packets (packets that don't init/terminate an event; or aren't in
> part of protocol's command like "STOR xxx" in FTP but in content of file
> xxx). For example, I want to alert any attemp of using command "su" on a
> Telnet session; alert if any file uploaded via FTP that contains pattern of
> a Worm...
For Telnet sessions, this is easy - do the matching in login_input_line
or login_output_line. For files uploaded via FTP, this isn't in general
possible, since Bro relies significantly on filtering to reduce its
processing load, and to capture uploaded files would require processing
nearly the entire traffic stream.
Vern
> I am about to build three Bro machines, and I'm trying to determine what
> hardware to buy. These machines will all monitor gigabit ethernet links
> and will be running FreeBSD-STABLE.
>
> Here's my first pass:
>
> 800 MHz PIII or better
> at least 2 64-bit PCI slots
> 256 MB RAM
> 3 x 40GB+ ATA100 HD
> ATAPI CD-ROM
> 10/100 Ethernet
> 2 x SysKonnect SK-9842 SK-NET GE-SX
> lame AGP SVGA card
>
> I'm a little bit uncertain about the IDE disk, but the 40GB disks are less
> than $200 each -- I can have over 100GB of logging space this way. I'm
> normally a SCSI bigot, but lately I'm not sure it's worth it in all
> applications.
All in all, that system looks good. The key question in general is just
how large a traffic stream will you be monitoring. The above should be
fine for a good-sized site (say 1000 hosts, in my experience). Much larger
and you'll want to increase the RAM.
> Are the SysKonnect cards the way to go?
That's what we use, generally to good effect. Others may work fine,
too, I don't know.
Vern
Hello,
I am about to build three Bro machines, and I'm trying to determine what
hardware to buy. These machines will all monitor gigabit ethernet links
and will be running FreeBSD-STABLE.
Here's my first pass:
800 MHz PIII or better
at least 2 64-bit PCI slots
256 MB RAM
3 x 40GB+ ATA100 HD
ATAPI CD-ROM
10/100 Ethernet
2 x SysKonnect SK-9842 SK-NET GE-SX
lame AGP SVGA card
I'm a little bit uncertain about the IDE disk, but the 40GB disks are less
than $200 each -- I can have over 100GB of logging space this way. I'm
normally a SCSI bigot, but lately I'm not sure it's worth it in all
applications.
Are the SysKonnect cards the way to go?
Comments? Suggestions?
Jon
--
Jon Dugan | Senior Network Engineer, NCSA Network Development
jdugan(a)ncsa.uiuc.edu | 57C CAB, 605 E Springfield, Champaign, IL 61820
217/244-7715 | http://www.ncsa.uiuc.edu/people/jdugan
