Hello,
My colleagues and I are interested in hearing about how some of you manage your
clusters and scripts.
Are most of your scripts from the Bro git repo? Or have you collected/developed
a lot over time? Especially for the latter, how many are you running in production?
Is it typical to worry about the performance impact of adding scripts; do you
ever remove things because packet drops grow too high? Or is it just time for
more hardware?
Along those lines, how big is your cluster (nodes/workers)? I've heard roughly
100 Mbps/core. Does this mean it's not uncommon to have a 400-core cluster for 40G?
How do you test your scripts? Are you really attentive about keeping PCAPs to
trigger alerts, etc?
Many thanks!
Matt