[Bro] raw bytes question

Robin Sommer robin at icir.org
Fri Apr 17 09:46:13 PDT 2009

On Thu, Apr 16, 2009 at 18:00 -0500, you wrote:

> Thanks for the quick reply.  The "off by default" comment comes from section
> 7.6.1 of the user manual which states "Signature matching is off by
> default." 

I see. That paragraph is actually not refering to the signature
engine itself but to the set of
Snort-converted-and-further-augmented signatures that were shipped
as part of the Bro-Lite environment (which is technically still
there but hasn't been maintained for years and will be removed
soon.) But I see how that can be confusing; the text doesn't really
make that distinction clear.

> states that reassembly is only done on the first 1K of streams.  So, I
> (perhaps unreasonably) do not consider that reassembly because I am very
> regularly interested in the 1K-2K range of a stream.

Well, I'd call it "reassembly of the first 1K". As I wrote in the
mail and in the blog posting, that's all configurable. Different
people require different trade-offs.

> least that's what it used to use).  I'm wondering how this compares with the
> Aho-Corasick NFA implementation of simple (non-regexp) string matching a la
> Snort, both in performance and memory consumption. 

The paper actually compares with Snort, though with the Snort of
2003. I can't comment on any recent versions. 

>  I'd also be interested in comparisons on CPU cache efficiency.

That is an interesting question indeed.


Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list