[Bro] question about bro's performance
vern at icir.org
Fri Sep 23 00:09:30 PDT 2005
> 1. I see the introduction in bro overview: Bro targets high-speed
> (Gbps). I am surprised and doubt it.
These issues are discussed at length in the original Bro paper and also
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer, Operational
Experiences with High-Volume Network Intrusion Detection, Proc.
ACM CCS, October 2004.
available at http://www.bro-ids.org/publications.html.
> 2. I konw bro supports to define signature in regular expression.I
> want to konw how does bro support
> regular expressions: by perl or do it yourself.
It has its own implementation, which is essentially the same as the one
used by the "flex" utility (freeware replacement for lex, which I wrote a
long time ago).
> 3. Is there realtime alarm function in bro?
Yes. This is a basic question that is also answered in the Bro paper,
as well as in the documentation available from bro-ids.org.
More information about the Bro