[Bro] raw bytes question
robin at icir.org
Fri Apr 17 09:46:13 PDT 2009
On Thu, Apr 16, 2009 at 18:00 -0500, you wrote:
> Thanks for the quick reply. The "off by default" comment comes from section
> 7.6.1 of the user manual which states "Signature matching is off by
I see. That paragraph is actually not refering to the signature
engine itself but to the set of
Snort-converted-and-further-augmented signatures that were shipped
as part of the Bro-Lite environment (which is technically still
there but hasn't been maintained for years and will be removed
soon.) But I see how that can be confusing; the text doesn't really
make that distinction clear.
> states that reassembly is only done on the first 1K of streams. So, I
> (perhaps unreasonably) do not consider that reassembly because I am very
> regularly interested in the 1K-2K range of a stream.
Well, I'd call it "reassembly of the first 1K". As I wrote in the
mail and in the blog posting, that's all configurable. Different
people require different trade-offs.
> least that's what it used to use). I'm wondering how this compares with the
> Aho-Corasick NFA implementation of simple (non-regexp) string matching a la
> Snort, both in performance and memory consumption.
The paper actually compares with Snort, though with the Snort of
2003. I can't comment on any recent versions.
> I'd also be interested in comparisons on CPU cache efficiency.
That is an interesting question indeed.
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro