[Bro-Dev] #537: Default policy script overhead due to DNS lookups in extend-email/hostnames.bro
Bro Tracker
bro at tracker.bro-ids.org
Thu Aug 4 17:42:05 PDT 2011
#537: Default policy script overhead due to DNS lookups in extend-
email/hostnames.bro
---------------------+------------------------
Reporter: gregor | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
{{{
#!rst
Bro's new default set of policy-scripts include loading ``extend-
email/hostnames.bro`` (via ``bro.init -> packet-filter ->
frameworks/notice``)
This script does many async DNS lookups for notices. Doing so will
significantly degrade performance. According to Robin probably due to when
statements. Using a full trace with "normal" traffic runtime increase by a
factor of 1.35 and memory usage by 3.4 (!). When using a SYN/FIN/RST only
trace it's a lot lot lot worse (runtime even exceeds the runtime of the
full trace and so does memory usage!)
We should definitely remove the script from the default config. And, given
its overhead, put a warning in the comments/docstrings so that users know
what they are getting when they load the script.
We might also want to consider removing other, potentially high volume DNS
lookups from the default scripts (there's one in protocols/ssh but I don't
think it's that high volume, but YMMV).
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/537>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list