[Bro-Dev] [JIRA] (BIT-1139) MHR lookups can cause significant CPU overhead in tests

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 11 11:43:18 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15723#comment-15723 ] 

Jon Siwek commented on BIT-1139:

topic/jsiwek/faster-mhr in just the bro repo.  It's purely a change in Bro scripts, so assigning to Seth to review, but general feedback also nice.

The problem is mostly w/ the fact that the "when" statement involved in the MHR lookup ends up cloning a fa_file record, which is expensive.  The change in the branch sidesteps this by unrolling the needed fields from the fa_file record before the scope of the "when" statement to avoid cloning the full data structure.

I can see benefit in following up w/ a more robust answer to the potential cost of "when" statements, but I'd rather not have to touch the serialization or trigger code (at least for this release).

Also I don't get the comment in the ticket description about live operation exhibiting different behavior.  I'd expect it to be the same deal provided that the live traffic includes enough files in {{TeamCymruMalwareHashRegistry::match_file_types}} for the "when" stmt to actually get hit.

> MHR lookups can cause significant CPU overhead in tests
> -------------------------------------------------------
>                 Key: BIT-1139
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1139
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Robin Sommer
>            Assignee: Jon Siwek
>             Fix For: 2.3
> Live operation seems fine, need to understand what's going on.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list