[Bro] question about bro's performance
cyclerror at gmail.com
Wed Sep 21 23:16:31 PDT 2005
firstly, I am sorry for my english :) .
I have some questions on bro:
1. I see the introduction in bro overview: Bro targets high-speed
(Gbps). I am surprised and doubt it.
bro captures packets through libpcap and BPF filter,but libpcap
isn't high performance.
that's the reason why zero copying and DMA tech are used in IDS field.
bro analyses events by policy scripts.there is a problem that
script's performance is lower than binary
programs.I didn't test bro's performance , maybe I am wrong.
2. I konw bro supports to define signature in regular expression.I
want to konw how does bro support
regular expressions: by perl or do it yourself.
3. Is there realtime alarm function in bro? I sometimes want to
see the current network status on
screen,instead of viewing bro's report file.
many many thinks
More information about the Bro