[Bro-Dev] New http policy scripts
Gregor Maier
gregor at icir.org
Thu Aug 4 20:42:32 PDT 2011
Hi,
I've looked at the new http policy scripts and have some comments
(first: thanks Seth for this re-organization, looks great):
It appears that per default protocols/http now does analyzer
HTTP-headers and HTTP-payload. Both of them are quite expensive in terms
of CPU time. Particularly body analysis.
I would opt to *not* include those if just protocols/http is loaded
(which will always be loaded by default in the future). HTTP is usually
going to be the most expensive analysis (due to traffic volume) anyway,
so we should give users and easy way to adjust the load according to
their traffic and available hardware. So, I would opt to only do http
request and http reply analysis by default and provide users with an
easy option to
a) load HTTP-header analysis. E.g., protocols/http/headers
b) load HTTP-body analysis. E.g., protocols/http/body
(or name a) and b) http/medium and http/heavy respectively)
(I can see the value of always doing header analysis, so I think I could
accept HTTP header analysis by default if others really want this, but I
really think body analysis should not be done by default)
Also note that there is an http_headers event (note the "s" at the end).
This event gives you all the headers with one event call. You will loose
the order of events, and you'll only get the headers after the header is
done (i.e., there's an empty line).
In my experience it's a *lot* faster, if you only use the http_headers
event instead of relying on individual http_header() events (*). I would
therefore opt to use the http_headers() event whenever possible!!
(Particularly for everything that gets loaded by default)
cu
Gregor
--
Gregor Maier
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/
More information about the bro-dev
mailing list