[Bro] Tuning Bro

Seth Hall seth at icir.org
Wed Jul 18 17:43:35 PDT 2012

On Jul 18, 2012, at 5:24 PM, Sravan Bhamidipati wrote:

> 1. How do the IP ranges specified in Site::local_nets and networks.cfg affect Bro's monitoring? Do they have different use cases, or can they be used interchangeably? Or do they have nothing to do with each other? (As of now, my Site::local_nets and networks.cfg are identical.)

Those are the same thing.   If you run with BroControl, it uses networks.cfg as a convenience method for setting Site::local_nets.

> 2. From my layman's understanding, given a PCAP, the larger the window of time and the number of packets that a system looks at the more accurate its detection could be, the tradeoff being that of memory/performance. (I guess there won't be any packet dropping when reading PCAPs.) Is that true?

There definitely won't be any packet loss when reading from a tracefile.  I don't understand the rest of what you are saying, it mostly comes down to a question of if your host's CPU is overwhelmed or not.  If it's overwhelmed then you will drop packets on your NIC.  If you run out of memory then Bro will crash because it can't allocate any more memory.

> 3. For someone who doesn't know much about the Bro language, are there any generic configuration settings or tunables that might improve detection rates?

There are a number of settings which could affect Bro's analysis rate, but I'm not intimately familiar with too many.  The normal deployment is that people deploy enough hardware to handle their traffic.

> Like the maximum size up to which a packet is read

This is not something that is done in Bro because Bro's primary thrust is in protocol analysis.  If you analyze partial packets you can't correctly analyze any protocols.

> , or the number of packets that Bro simultaneously analyzes. (Snort has some parameters along these lines.)

I don't understand this comment.

> 4. How does Bro handle packet defragmentation and stream reassembly? Is there documentation for the internals, about the various components and analyzers and how they analyze traffic? I am looking for a basic understanding.

Most of it is documented with various settings here:

There are a lot of settings in there, but look for things like "tcp" and "defrag".


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list