[Bro] Use of GPUs for signature matching?
seth at icir.org
Tue Oct 26 07:33:57 PDT 2010
On Oct 26, 2010, at 9:54 AM, Martin Holste wrote:
> So if you're running into a performance challenge with the scripting
> language, would you consider switching from the native Bro scripting
> language to an embedded interpreter from something like Perl, Python,
> or Lua? That in and of itself probably would hurt performance, but my
> guess is that it would take a lot less time to embed something and
> then multi-thread it then rolling your own from scratch.
That likely not true. The performance hit would probably quite large with many of the dynamic languages. I don't know about Lua but with Perl and Python being untyped they do a lot of acrobatics whenever variables are created, accessed, and modified which doesn't work very with the soft realtime constraints that Bro needs to function within.
> I think a well-known script language would
> also be a lot less scary for newcomers to Bro and really increase its
> user base.
I think that every who start working with Bro has a point where they get frustrated with having to learn a new language (I know I did), but then after some time they start to recognize the reason that Bro has it's own language. The Bro policy script language is a large part of what makes Bro, Bro. :) It's a domain specific language for doing event analysis and Bro's core has been made to turn network traffic into a stream of events so that it would be possible to analyze it in this style. General purpose scripting languages would likely have to use strange syntaxes to get some of the features and functionality of the Bro language.
What will likely increase Bro's user base in a big way is for Bro to do a lot of interesting detections out of the box. There's likely going to ever only be a fairly small proportion of users who would ever learn or heavily use the scripting language even if it were Python or Perl. More documentation is going to help too. :)
More information about the Bro