[Bro] Help about Code

Ruoming Pang rpang at CS.Princeton.EDU
Wed Feb 2 10:31:10 PST 2005


Raghu,

Bro usually spends most of its time in executing policy scripts (this, 
of course, depends on the configuration). And when it's too slow, my 
experience has been that it's often because some event is invoked too 
many times. Thus the first step I would take is to find out which 
events are invoked most frequently. There are a class of "high-risk" 
events, for example, tcp_packet, http_header, etc., that can easily be 
invoked too often and should be avoided when dealing with high volume 
live traffic.

> The following might help you:
>
>   http://www.icir.org/twiki/bin/view/Bro/BroInternalsAug2004
>
And Vern's original paper: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

> However, for the latest you'll always have to look at the source code
> yourself...

Exactly.

Ruoming




More information about the Bro mailing list