[Bro-Dev] Enable DPD per default in 1.6?

Robin Sommer robin at icir.org
Mon Jan 24 12:32:25 PST 2011


I'm wondering whether we should turn on DPD by default in 1.6. Doing
so would involve two things:

    (1) Loading the DPD signatures (i.e., dpd.bro)

    (2) Setting the packet filter to include all packets.

The former shouldn't be a problem, but the latter would be a major
change. We'd still keep the current build-your-filter-dynamically
scheme, but it would have to be enabled explicity (say, with an
option in pcap.bro).


There's a further advantage to doing (2): it would eliminate one of
the most common mistakes: not realizing that Bro's filter doesn't
include what one wants to analyze. With a default-all filter, Bro
does what one would intuitively expect, and changing the filter to
be more restrictive could be filed under "performance tuning".


Thoughts?

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list