[Bro] Brocontrol revisited

Siwek, Jon jsiwek at illinois.edu
Mon Aug 4 07:51:31 PDT 2014

On Aug 3, 2014, at 6:44 AM, James Lay <jlay at slave-tothe-box.net> wrote:

> I like brocontrol's ease of use and auto-reports, but not at the cost of an additional bro process that eats %15 CPU usage.  Any explanation for this?  Thank you.

Even in standalone mode, BroControl currently will have Bro listen for remote connections as some functionality of BroControl depends on that.  Bro will fork a process to do the listening which is the additional bro process.  The communication between parent, child, and peers use somewhat suboptimal I/O loops that rely on small timeouts which can be the reason for the extra CPU usage.  From what I understand, the reason for it being that way is historical (i.e. there were reasons for doing it that way on older systems).  I don’t know of any way to workaround it at this time, but improving/fixing the underlying problem is on the roadmap.

Jon

