Hello,
I am trying to introduce Bro to the enterprise system for the security enhancement purpose.
I have several questions. Could you please answer the following questions?
-
Bro stores captured data into XXX.log files(XXX is http for example). In this case, how much data does Haka store into local file system per transaction? If you have any reference data, please let me know.
-
When Bro introduced machine has broken and fixed it, is it possible to continue the process(packet capturing process and storing data process into local file system) using the fixed machine without any problems?
-
What is the market share in the network forensic domain?
Best regards,
Hi,
1. Bro stores captured data into XXX.log files(XXX is http for example).
In this case, how much data does Haka store into local file system per
transaction? If you have any reference data, please let me know.
I think the best way to answer this is to just try it out for yourself
with some Bro log files. The size of log files generally also differs a
lot; some of them have much londer lines than others.
2. When Bro introduced machine has broken and fixed it, is it possible
to continue the process(packet capturing process and storing data
process into local file system) using the fixed machine without any
problems?
I am not 100% sure what you mean here. If a maching running a few worker
processes fails, they can be restarted later and will just resume sending
data to the manager (assuming the installation is still intact). Local
held state will be lost however (Bro does not tend to write internal
variables to disk).
3. What is the market share in the network forensic domain?
I don't think we have any information on this.
Johanna