[Bro] Throughput Problems

Joel Ebrahimi joel.ebrahimi at gmail.com
Tue Mar 11 17:03:49 PDT 2008


Hi All,

I have been testing Bro recently. I have been having some performance
issues. I can  load these any and all (without the bad ones listed below) of
these policies I get great performance:

@load site
@load alarm
@load weird
@load http
@load worm
@load blaster
@load hot
@load signatures
@load synflood
@load backdoor

If I add any single one of these I go from being able to process traffic at
90Mb/s to under 1 Mb/s.

@load login
@load irc
@load portmapper
@load http-request
@load http-reply
@load ftp
@load stepping
@load tftp
@load frag
@load smtp

Has anyone ever seen this problem before? Know the solution? Know to where
even start looking?

I was also curious at waht speeds people start dropping packets. Obviously
the traffic your monitoring has an impact so maybe a little background would
help too. (ie 100 Mb/s with 64k udp packets)

Thanks in advance,

// Joel

Joel Ebrahimi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080311/a60d3c0b/attachment.html 


More information about the Bro mailing list