[Bro-Dev] #816: Reworked PacketFilter framework

Bro Tracker bro at tracker.bro-ids.org
Sat May 5 14:45:24 PDT 2012

#816: Reworked PacketFilter framework
  Reporter:  seth           |      Owner:
      Type:  Merge Request  |     Status:  new
  Priority:  Normal         |  Milestone:  Bro2.1
 Component:  Bro            |    Version:  git/master
Resolution:                 |   Keywords:

Comment (by robin):

 Replying to [comment:1 seth]:

 > It's completely normal on deployed clusters to have small amounts of
 packet loss, at least that has been my experience.  Increasing the delay
 was to reduce the volume of these notices.  Large clusters were creating
 multiple notices per worker per minute which just looks kind of sloppy
 when you search through notices.

 My concern is that with a large interval, it will take a while until drops
 are reported the *first* time. If I just start Bro up on the command line,
 I won't notice for 5 min whether I'm putting to much load on. I suggest we
 either leave the default small and increase it in local.bro instead, or we
 at least use something smaller than 5min; perhaps 30s or 1m.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/816#comment:3>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list