[Bro] A more parallel Bro

dalbrech at illinois.edu dalbrech at illinois.edu
Wed Feb 25 12:26:59 PST 2009

Ladies and Gentlemen (esp. Robin),

I've been doing some performance profiling on Bro.  In the course of my work, I 
noticed its main event loop is single-threaded.  I went back to the original 
1998 USENIX paper on Bro, and found the following in the "Implementation 
Issues" section:

"Since event handling lies at the heart of the system, it is natural to consider a 
multi-threaded design, with one thread per active event handler. We have so 
far resisted this approach, because of concerns that it could lead to subtle race 
conditions in Bro scripts...We may yet adopt a multi-threaded design. A more 
likely possibility is evolving Bro towards a distributed design, in which loosely-
coupled, multiple Bro's on separate processors monitor the same network link. 
Each Bro would watch a different type of traffic (e.g., HTTP or NFS) and 
communicate only at a high level, to convey current threat information."

A review of more recent literature suggests interest in exploiting the inherent 
parallelism of event handling (e.g. the NIDS cluster paper from RAID '07, and 
the Sarnoff '07 work) -- I'm wondering what the ICSI folks' position is on 
threads vs. clustering.

David A.

David R. Albrecht
Graduate Research Assistant, Hatswitch Group
U. Illinois Urbana-Champaign
(312) 445-0883
dalbrech at illinois.edu

More information about the Bro mailing list