Hi all, with this email I just want to share my (still ongoing) research work with you and hope to get some community feedback. Since a few months I am working on what we call a Bro deep cluster:
A deep cluster is envisioned to provide better scalability properties than the current Bro cluster-framework. That would allow to provide one administrative interface for several conventional clusters and/or standalone nodes to monitor several links at once. Due to its scalability it can bring monitoring from the edge of the monitored network into its depth (-> deep cluster). A deep cluster requires an auto-configuration mechanism that goes beyond what BroControl is currently providing. The goal is to setup large numbers of Bro instances that might be deployed in different parts of the network (or in different networks). Afterwards, these instances need to communicate with each other to share data and to provide security operators with a common view on their networks. An example for this would be that you have a huge network within an US-wide operating company that hosts several production sites at the east and the west coast. Currently, you would monitor each production site individually by a bro cluster. With a deep cluster you would be able to monitor and to configure the monitoring for all production sites at once. For example, this might allow to detect a slow distributed port scan across the whole network that would remain unnoticed in case of one isolated Bro cluster per production site. More information is provided on the following website, including some hints on how to run the current (development) version of the deep cluster: https://www.bro.org/development/projects/deep-cluster.html Feedback, hints, and advise are highly appreciated. Mathias -- Mathias Fischer International Computer Science Institute Berkeley, USA http://www.icsi.berkeley.edu/~mfischer/ _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
