[Bro-Dev] [JIRA] (BIT-1016) Option to extend uids to 128 bit
Robin Sommer (JIRA)
jira at bro-tracker.atlassian.net
Tue Aug 27 12:50:00 PDT 2013
[ https://bro-tracker.atlassian.net/browse/BIT-1016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13804#comment-13804 ]
Robin Sommer commented on BIT-1016:
Merged. Three comments:
- while I generally like the bits_per_uid option, I'm wondering about the performance impact. If it were a static number, UID could just use a correspondingly sized array, vs. now using a relative expensive std::vector. Is the flexibility worth that here? I think a good alternative would be to just #define the bit length in UID, then we could at least easily increase it later.
- If we want to keep the bits_per_uid option, could we at least switch to malloced array instead of std::vector with several pushs per UID?
- If keeping bits_per_uid, please add a test case that tries a few different values for it.
- We could use "C-<hex>" instead of "C<hex>" to make it more obvious that the first character is special. But not sure if it's worth it.
> Option to extend uids to 128 bit
> Key: BIT-1016
> URL: https://bro-tracker.atlassian.net/browse/BIT-1016
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Affects Versions: git/master
> Reporter: rhave
> Assignee: Jon Siwek
> Priority: Low
> Fix For: 2.2
> Bro's uids are currently 64 bits, which makes them collide with a 50% chance after 5.1 x 10^9^ different uids (see http://en.wikipedia.org/wiki/Birthday_problem#Probability_table).
> I'm currently generating uuids of 128 bit to replace the native uids in bro, as I'm using them as keys in a database, but this requires rewriting of the bro-logs. I suspect that more people could benefit from an option to extend the uids to 128 bit.
> I've made a quick and dirty patch to change most of the uids to 128 bit (file_analysis uids are missing). The patch is ugly, and is only to show some of the functionality I would like: http://pastebin.com/GkaGejNc
This message was sent by Atlassian JIRA
More information about the bro-dev