I’m overhauling some East / West sensors, and one thought is to deploy Zeek to minimize what we need to manage (as opposed to individual Snort / Argus sensors). Since these machines are using Intel 525 cards, I will be using PFRing as a load balancer. Does the bro RPM support this? I looked and don’t think so, though I wanted to ask here before rolling my own RPM.
Please excuse any typos / brevity, I'm on my mobile.
Thank you,
I’m eventually going to change it to use AF_PACKET instead, as that’s what seems to be recommended in past threads from the Zeek folks. I’ve also been using AF_PACKET in my own production system at work without issues.