[Bro-Dev] Bro + real-time question
gc355804 at ohio.edu
Sun Sep 28 14:49:16 PDT 2014
I was thinking one way to gracefully address performance issues might be
to say that bro would be allowed to spend X cycles processing a specific
packet, where X was a number determined by examining e.g. the current
state of the network buffer + the historical packet rate / size.
Enforcing a cut-off after X cycles could provide a way to dynamically
scale the depth of the analysis to cope with additional load in lieu of
completely dropping packets.
Could be that this is a terrible idea, but was just doing some homework
/ reading and thought I'd ask to see if anyone could point me to work
along these lines (or possibly explain why the ideas are not good ones :).
Regardless, thank you for taking the time to follow up!
On 9/28/2014 1:25 PM, Vern Paxson wrote:
> Can you sketch your use case? Different concerns (in particular, adversarial
> threats versus performance problems) have different implications.
More information about the bro-dev