[Bro] Emerging Threats signatures on Bro ids ?

Seth Hall seth at icir.org
Mon Aug 13 10:00:05 PDT 2012


On Aug 13, 2012, at 12:38 PM, "rmkml at yahoo.fr" <rmkml at yahoo.fr> wrote:

> Anyone tested please?
> What's performance impact? (only 33sigs)

There are a number of potential and definite problems.

 - For each http_request event, you are doing a lot of if & if else statements which *could* impact performance.

 - For each http header you are similarly doing a lot of if statements which will almost certainly cause a performance impact.  Also, you are accessing collected state in the c$http record when you should probably be using the name and value variables directly.  If you want to look through data before things are logged, your best bet is to use the HTTP::log_http logging framework event.

 - Again, lots of if statements for every dns request is probably going to have a severe performance impact.

 - For every single chunk of http entity data, you are running lots of if statements with pattern conditions again.

 - Handling the packet_contents event at all is generally really bad.  The auto-generated documentation even comments on the fact that using that event is not really feasible for any traffic volume:
	http://www.bro-ids.org/documentation/scripts/base/event.bif.html?highlight=packet_contents#id-packet_contents


This is one of the interesting things about Bro.  Due to it primarily being a programming language, you can absolutely do things that will negatively impact performance and break other analysis.  So like any other language you have to constantly be aware of what you are doing and the potential impacts.  We are actively working now to make it possible for you and others to do these detections more easily and with less potential performance impact.  Unfortunately we're still at the very beginning of a newly-found operational security engineering focus so this stuff is taking a bit longer than most people would like (me included!).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list