What are the characteristics to look at when buying hardware to run Bro on?
Something that can run an OS that supports kernel BPF. E.g., FreeBSD,
NetBSD, BSDi, Tru64. There are no doubt others, and I believe there's
a kernel BPF port for Linux in the works, but I don't know if anyone
is shipping it.
Which values do you suggest to monitor a 100Mbps link or a Gigabit link?
The key is not the link speed so much as the traffic volume over that
link, and, in particular, the volume of traffic accepted by the packet
filter. In the past, we've successfully monitored some medium-sized sites
(2000 users) with 400 MHz Pentiums running FreeBSD. You should have
a good amount of memory, say 256 MB or more. If you have a few hundred
users, then a vanilla 9 GB will probably work fine. If you have a lot
more, then larger drives. It also depends on how long a record you want
to keep on-line. (Experience shows you'll at least want a week, to allow
retrospective analysis of activity.) We use the CCD driver under FreeBSD
to stripe several drives together into one large, fast partition, and
also have an off-line archive machine that we keep everything other
than the raw traces for quite a ways back.
Vern