I discovered this weekend that it would be nice to be made aware of many of the following situations: high cpu load, large memory footprint, unusually large connections/minute recorded, or a large number of drops/minute activated in a running bro.
Having bro alert on this information can give us a better idea of when unusual (as in hostile) things are happening to the network.
This is a basic outline for a monitor script - it is a bit rough about the edges, but it seems to do the job. Making additions to the script should be trivial.
scott
monitor.bro (2.43 KB)