[Bro-Dev] Bro + real-time question

Gilbert Clark gc355804 at ohio.edu
Sun Sep 28 14:49:16 PDT 2014

I was thinking one way to gracefully address performance issues might be 
to say that bro would be allowed to spend X cycles processing a specific 
packet, where X was a number determined by examining e.g. the current 
state of the network buffer + the historical packet rate / size.  
Enforcing a cut-off after X cycles could provide a way to dynamically 
scale the depth of the analysis to cope with additional load in lieu of 
completely dropping packets.

Could be that this is a terrible idea, but was just doing some homework 
/ reading and thought I'd ask to see if anyone could point me to work 
along these lines (or possibly explain why the ideas are not good ones :).

Regardless, thank you for taking the time to follow up!


On 9/28/2014 1:25 PM, Vern Paxson wrote:
> Can you sketch your use case?  Different concerns (in particular, adversarial
> threats versus performance problems) have different implications.

More information about the bro-dev mailing list