[Bro] Filtering based on port-number

Seth Hall seth at icir.org
Fri Oct 8 08:33:40 PDT 2010

The best documentation for this can currently be found here:



On Oct 8, 2010, at 11:08 AM, Sunjeet Singh wrote:

>  I'm looking into it. Thanks for your help Peter.
> Sunjeet Singh
> On 10-10-08 07:59 AM, Peter Erickson wrote:
>>>> when loading dpd you may need to change the filter to include all
>>>> packets, e.g. on the command line:
>>>> bro -f "tcp or udp or icmp" ...
>>> Okay, so it makes sense to use capture_filter as-it-is when you are not
>>> using DPD; and to disable capture_filter (using "bro -f") if you are
>>> using DPD. In the latter case, you end up analyzing all packets which
>>> causes an extra performance cost of about 13.8% [with given parameters,
>>> Section 6.1, USENIX'06 paper].
>>> The same section of the paper also says that the runtime of the Bro
>>> system exceeds the duration of the trace, indicating that we require
>>> "multiple NIDS instances in live operation".
>>> "Multiple NIDS instances in live operation"- has this been discussed
>>> anywhere else? With the filter disabled, this would be very useful. Is
>>> it as simple as splitting up your policy file among different machines
>>> running Bro or is there more to it?
>> Someone else can correct me if I'm wrong, but I think that you are 
>> needing to setup a clustered environment with managers, proxies, and 
>> workers. The user manual briefly mentions something about this in the 
>> installation section, but my limited understanding of how it works 
>> comes from reading the scripts located at $BROHOME/share/broctl. My 
>> use of bro is strictly for offline processing so I have yet to really 
>> pay attention to it other than starting bro in standalone mode.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list