[Bro] question about bro's performance

Vern Paxson vern at icir.org
Fri Sep 23 00:09:30 PDT 2005

>     1. I see the introduction in bro overview: Bro targets high-speed
> (Gbps). I am surprised and doubt it.

These issues are discussed at length in the original Bro paper and also

	H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, Operational
	Experiences with High-Volume Network Intrusion Detection, Proc.
	ACM CCS, October 2004.

available at http://www.bro-ids.org/publications.html.

>     2. I konw bro supports to define signature in regular expression.I
> want to konw how does bro support
>        regular expressions: by perl or do it yourself.

It has its own implementation, which is essentially the same as the one
used by the "flex" utility (freeware replacement for lex, which I wrote a
long time ago).

>     3. Is there realtime alarm function in bro?

Yes.  This is a basic question that is also answered in the Bro paper,
as well as in the documentation available from bro-ids.org.


More information about the Bro mailing list