[Bro-Dev] [JIRA] (BIT-1016) Option to extend uids to 128 bit

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Aug 27 14:02:00 PDT 2013


    [ https://bro-tracker.atlassian.net/browse/BIT-1016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13809#comment-13809 ] 

Jon Siwek commented on BIT-1016:
--------------------------------

{quote}while I generally like the bits_per_uid option, I'm wondering about the performance impact. If it were a static number, UID could just use a correspondingly sized array, vs. now using a relative expensive std::vector. Is the flexibility worth that here? I think a good alternative would be to just #define the bit length in UID, then we could at least easily increase it later.{quote}

We know that there's people (person) that may want something other than our default and we know that not everyone runs Bro by compiling it from source, so having the option to change it at parse-time I thought was nice.

{quote}If we want to keep the bits_per_uid option, could we at least switch to malloced array instead of std::vector with several pushs per UID?{quote}

I preferred vector to start because it's safer/simpler to write correct code, but yeah I can look in to that optimization especially since there's not a lot of code involved.

{quote}If keeping bits_per_uid, please add a test case that tries a few different values for it.{quote}

Ok.
                
> Option to extend uids to 128 bit
> --------------------------------
>
>                 Key: BIT-1016
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1016
>             Project: Bro Issue Tracker
>          Issue Type: New Feature
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: rhave
>            Assignee: Jon Siwek
>            Priority: Low
>             Fix For: 2.2
>
>
> Bro's uids are currently 64 bits, which makes them collide with a 50% chance after 5.1 x 10^9^ different uids (see http://en.wikipedia.org/wiki/Birthday_problem#Probability_table).
> I'm currently generating uuids of 128 bit to replace the native uids in bro, as I'm using them as keys in a database, but this requires rewriting of the bro-logs. I suspect that more people could benefit from an option to extend the uids to 128 bit.
> I've made a quick and dirty patch to change most of the uids to 128 bit (file_analysis uids are missing). The patch is ugly, and is only to show some of the functionality I would like: http://pastebin.com/GkaGejNc



--
This message was sent by Atlassian JIRA
(v6.1-OD-06#6139)


More information about the bro-dev mailing list