[Bro] write_expire computational time

Aashish Sharma asharma at lbl.gov
Tue Apr 25 08:18:52 PDT 2017


I have a couple of bro policies in production where I store/expire/extend hundreds of thousands (if not million+)  elements/records from table(s). SO far has been operationally workable. Offcourse, the expirations don't happen at the dot on the clock but often little later but that doesn't concern much.

Aashish 

On Tue, Apr 25, 2017 at 07:54:39AM -0700, Johanna Amann wrote:
> Hi,
> 
> the main function implementing expiry is TableVal::DoExpire in Val.cc
> (approximately line 2175).
> 
> > Basically, I want to know if I have a table with n elements, and each
> > element should expire 1 minute after its insertion - will bro loop over all
> > elements in the list checking if they are expired ?
> 
> Yes, Bro will loop over all elements from time to time, setting internal
> timeouts that cause a loop over the whole table removing expired elements.
> Note that elements are not guaranteed to expire after the expiration time;
> they will be removed sometime after expiration time, but it can take a
> bit.
> 
> > if this is the case then write_expire should be O(n), is this correct ?
> 
> The time overhead of expiration is O(n), correct.
> 
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list