[Bro] Filtering based on port-number
sstattla at gmail.com
Thu Oct 7 14:33:53 PDT 2010
> when loading dpd you may need to change the filter to include all
> packets, e.g. on the command line:
> bro -f "tcp or udp or icmp" ...
Okay, so it makes sense to use capture_filter as-it-is when you are not
using DPD; and to disable capture_filter (using "bro -f") if you are
using DPD. In the latter case, you end up analyzing all packets which
causes an extra performance cost of about 13.8% [with given parameters,
Section 6.1, USENIX'06 paper].
The same section of the paper also says that the runtime of the Bro
system exceeds the duration of the trace, indicating that we require
"multiple NIDS instances in live operation".
"Multiple NIDS instances in live operation"- has this been discussed
anywhere else? With the filter disabled, this would be very useful. Is
it as simple as splitting up your policy file among different machines
running Bro or is there more to it?
Thank you, Peter.
More information about the Bro