[Bro-Dev] Bloom filter merging

Clark, Gilbert gc355804 at ohio.edu
Sun Jun 16 09:51:21 PDT 2013

What about:

seed_i = h(  ((name.length() == 0) ? initial_seed : name) || i)

In my mind, it'd be cool if identical names would produce identical results (in this case) without the need to set an environment variable.  Maybe there's a reason that's a bad idea, though?

From: bro-dev-bounces at bro.org [bro-dev-bounces at bro.org] On Behalf Of Matthias Vallentin [vallentin at icir.org]
Sent: Thursday, June 13, 2013 11:45 PM
To: bro-dev at bro.org
Subject: Re: [Bro-Dev] Bloom filter merging

I had a chat with Vern about this earlier today and the discussion
yielded the following idea:

Rather than reserving a fixed number of seeds at startup, we use a
keyed hashing scheme that computes a seed to construct the i'th hash
function as follows:

    seed_i = h(initial_seed || name || i)

One can fix "initial_seed" at startup via an environment variable. The
new element "name" represents a parameter that the user provide
(optionally?) as part of the BiF bloomfilter_init. The counter "i"
allows for generating an arbitrary number of hash functions. The
function "h" shall be a consistent hash function, e.g., H3 seeded with
the initial seed.

Feedback welcome,

bro-dev mailing list
bro-dev at bro.org

More information about the bro-dev mailing list