[Bro] Signature Matching Performance

Chris bro at wressnegger.info
Thu May 3 23:41:51 PDT 2012

currently I'm dealing with quite a lot (enough to significantly impact the runtime performance) of signatures in my Bro setup. I understand that signature matching isn't part of Bro's main focus; after reading a response of Robin to the mailing list from 2010 (http://mailman.icsi.berkeley.edu/pipermail/bro/2010-October/004621.html) made me abandon this illusion ;)
However, I wonder if there is a way to speed up things a little? Some points that come to my mind are:
- obviously reduce the number of signatures
- properly anchor the signatures rather than prefixing them with ".*" This seems to be the critical point in my situation. So if you have ideas how to resolve this without giving up matching at arbritrary positions.... ;)
- clusters of Bro instances
- ...

Thanks, Chris.

More information about the Bro mailing list