[Bro-Dev] #537: Default policy script overhead due to DNS lookups in extend-email/hostnames.bro

Bro Tracker bro at tracker.bro-ids.org
Thu Aug 4 17:42:05 PDT 2011

#537: Default policy script overhead due to DNS lookups in extend-
 Reporter:  gregor   |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  Normal   |  Milestone:  Bro1.6
Component:  Bro      |    Version:  git/master
 Keywords:           |

 Bro's new default set of policy-scripts include loading ``extend-
 email/hostnames.bro`` (via ``bro.init -> packet-filter ->

 This script does many async DNS lookups for notices. Doing so will
 significantly degrade performance. According to Robin probably due to when
 statements. Using a full trace with "normal" traffic runtime increase by a
 factor of 1.35 and memory usage by 3.4 (!). When using a SYN/FIN/RST only
 trace it's a lot lot lot worse (runtime even exceeds the runtime of the
 full trace and so does memory usage!)

 We should definitely remove the script from the default config. And, given
 its overhead, put a warning in the comments/docstrings so that users know
 what they are getting when they load the script.

 We might also want to consider removing other, potentially high volume DNS
 lookups from the default scripts (there's one in protocols/ssh but I don't
 think it's that high volume, but YMMV).

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/537>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list