robin at icir.org
Mon Oct 25 21:52:36 PDT 2010
On Fri, Oct 22, 2010 at 11:56 -0700, you wrote:
> Clearly, an IDS architecture that separates protocol analysis and event
> handling can employ this technique to improve performance. And so this
> can be used for Bro. But, you'd need a working ANI.
That's right, but note that the ANI in the paper is a more powerful
component than what we need for "just" parallelizing a passive NIDS
(such as Bro). The latter primarily needs a load-balancer that
distributes packets across threads in a predictable manner. In the
most simple implemention (and in the current prototype) that's just
another thread copying packets around, which is obviously not that
great. A number of things come to mind to improve on that (as you
already mention as well): an external load-balancer like what we use
for the Bro Cluster; some decicated network processers can already
do this internally; and, probably the best option of all, some of
the new commodity NICs actually have the necessary functionality on
board and can steer traffic directly to their target threads.
Generally, I expect much of what we need here to become pretty much
standard functionality in the near future.
> I don't know how recently this paper was written,
The paper has been growing over a while. :) The later parts were
finished about a year ago, the earlier ones in 2007/8 alreday iirc.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro