[Bro] A more parallel Bro
dalbrech at illinois.edu
dalbrech at illinois.edu
Wed Feb 25 12:26:59 PST 2009
Ladies and Gentlemen (esp. Robin),
I've been doing some performance profiling on Bro. In the course of my work, I
noticed its main event loop is single-threaded. I went back to the original
1998 USENIX paper on Bro, and found the following in the "Implementation
Issues" section:
"Since event handling lies at the heart of the system, it is natural to consider a
multi-threaded design, with one thread per active event handler. We have so
far resisted this approach, because of concerns that it could lead to subtle race
conditions in Bro scripts...We may yet adopt a multi-threaded design. A more
likely possibility is evolving Bro towards a distributed design, in which loosely-
coupled, multiple Bro's on separate processors monitor the same network link.
Each Bro would watch a different type of traffic (e.g., HTTP or NFS) and
communicate only at a high level, to convey current threat information."
A review of more recent literature suggests interest in exploiting the inherent
parallelism of event handling (e.g. the NIDS cluster paper from RAID '07, and
the Sarnoff '07 work) -- I'm wondering what the ICSI folks' position is on
threads vs. clustering.
Best,
David A.
--
David R. Albrecht
Graduate Research Assistant, Hatswitch Group
U. Illinois Urbana-Champaign
(312) 445-0883
dalbrech at illinois.edu
More information about the Bro
mailing list