[Bro] Filtering based on port-number

Sunjeet Singh sstattla at gmail.com
Thu Oct 7 14:33:53 PDT 2010


> when loading dpd you may need to change the filter to include all
> packets, e.g. on the command line:
> bro -f "tcp or udp or icmp" ...
>
Okay, so it makes sense to use capture_filter as-it-is when you are not 
using DPD; and to disable capture_filter (using "bro -f") if you are 
using DPD. In the latter case, you end up analyzing all packets which 
causes an extra performance cost of about 13.8% [with given parameters, 
Section 6.1, USENIX'06 paper].

The same section of the paper also says that the runtime of the Bro 
system exceeds the duration of the trace, indicating that we require 
"multiple NIDS instances in live operation".

"Multiple NIDS instances in live operation"- has this been discussed 
anywhere else? With the filter disabled, this would be very useful. Is 
it as simple as splitting up your policy file among different machines 
running Bro or is there more to it?

Thank you, Peter.

Sunjeet Singh





More information about the Bro mailing list