[Bro-Dev] Enable DPD per default in 1.6?
robin at icir.org
Mon Jan 24 12:32:25 PST 2011
I'm wondering whether we should turn on DPD by default in 1.6. Doing
so would involve two things:
(1) Loading the DPD signatures (i.e., dpd.bro)
(2) Setting the packet filter to include all packets.
The former shouldn't be a problem, but the latter would be a major
change. We'd still keep the current build-your-filter-dynamically
scheme, but it would have to be enabled explicity (say, with an
option in pcap.bro).
There's a further advantage to doing (2): it would eliminate one of
the most common mistakes: not realizing that Bro's filter doesn't
include what one wants to analyze. With a default-all filter, Bro
does what one would intuitively expect, and changing the filter to
be more restrictive could be filed under "performance tuning".
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev