[Bro] feeding bro cluster with parameters without restarting it
william de ping
bill.de.ping at gmail.com
Sat Mar 4 23:44:10 PST 2017
Hi and thank you for your answers !
By slow I mean that writing to a file on a remote machine will have network
and IO (read and write) strains.
I suppose having something like ZeroMQ or some syslog messaging framework
will be more efficient.
On my case, I have a file that is being updated with 3+ lines per sec (each
line has 3 fields). This file is being mapped to a table
Upon a new connection I check if orig_h is in this table and assign a field
I see that many orig_h's are not recognized even though they exist in the
Seth, can you please address me to a branch that includes this
reconfigurable bro framework ?
On Thu, Mar 2, 2017 at 5:33 PM, Johanna Amann <johanna at icir.org> wrote:
> Indeed, I was also going to ask that. We did some performance measurements
> when we first wrote it - and it actually is quite fast. There only is a
> relatively low amount of components between the input reader and it storing
> things in a table; I cannot be 100% sure, but I doubt that other ingestion
> methods can be much faster. (I actually doubt that they will be faster at
> On 2 Mar 2017, at 7:27, Azoff, Justin S wrote:
> On Mar 2, 2017, at 4:33 AM, william de ping <bill.de.ping at gmail.com>
>>> The thing is that the INPUT framework (STREAM) and generally reading
>>> from files is relatively slow.
>> What exactly do you mean by relatively slow? How large are these tables
>> that you are reading?
>> - Justin Azoff
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro