The Bro Deep Cluster

Hi all,

with this email I just want to share my (still ongoing) research work
with you and hope to get some community feedback. Since a few months I
am working on what we call a Bro deep cluster:

A deep cluster is envisioned to provide better scalability properties
than the current Bro cluster-framework. That would allow to provide one
administrative interface for several conventional clusters and/or
standalone nodes to monitor several links at once. Due to its
scalability it can bring monitoring from the edge of the monitored
network into its depth (-> deep cluster).
A deep cluster requires an auto-configuration mechanism that goes beyond
what BroControl is currently providing. The goal is to setup large
numbers of Bro instances that might be deployed in different parts of
the network (or in different networks). Afterwards, these instances need
to communicate with each other to share data and to provide security
operators with a common view on their networks.

An example for this would be that you have a huge network within an
US-wide operating company that hosts several production sites at the
east and the west coast. Currently, you would monitor each production
site individually by a bro cluster. With a deep cluster you would be
able to monitor and to configure the monitoring for all production sites
at once. For example, this might allow to detect a slow distributed port
scan across the whole network that would remain unnoticed in case of one
isolated Bro cluster per production site.

More information is provided on the following website, including some
hints on how to run the current (development) version of the deep cluster:

https://www.bro.org/development/projects/deep-cluster.html

Feedback, hints, and advise are highly appreciated.

Mathias