[Bro-Dev] New http policy scripts

Gregor Maier gregor at icir.org
Thu Aug 4 20:42:32 PDT 2011


I've looked at the new http policy scripts and have some comments 
(first: thanks Seth for this re-organization, looks great):

It appears that per default protocols/http now does analyzer 
HTTP-headers and HTTP-payload. Both of them are quite expensive in terms 
of CPU time. Particularly body analysis.

I would opt to *not* include those if just protocols/http is loaded 
(which will always be loaded by default in the future). HTTP is usually 
going to be the most expensive analysis (due to traffic volume) anyway, 
so we should give users and easy way to adjust the load according to 
their traffic and available hardware. So, I would opt to only do http 
request and http reply analysis by default and provide users with an 
easy option to

a) load HTTP-header analysis. E.g., protocols/http/headers
b) load HTTP-body analysis. E.g., protocols/http/body

(or name a) and b) http/medium and http/heavy respectively)

(I can see the value of always doing header analysis, so I think I could 
accept HTTP header analysis by default if others really want this, but I 
really think body analysis should not be done by default)

Also note that there is an http_headers event (note the "s" at the end). 
This event gives you all the headers with one event call. You will loose 
the order of events, and you'll only get the headers after the header is 
done (i.e., there's an empty line).
In my experience it's a *lot* faster, if you only use the http_headers 
event instead of relying on individual http_header() events (*). I would 
therefore opt to use the http_headers() event whenever possible!! 
(Particularly for everything that gets loaded by default)

Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the bro-dev mailing list