[Bro-Dev] Bro + real-time question
Vern Paxson
vern at icir.org
Sun Sep 28 16:57:22 PDT 2014
For performance concerns, it's not clear that individual packets are the
right granularity to examine. For example, if you stop processing one
packet you might be giving up on any subsequent analysis for the remainder
of its flow, which can have a large amplifying effect (or not) depending
on the size of the flow.
For a different approach to the problem, see section 5.3 ("Dynamically
controlling packet load") in the Operational Experiences paper,
http://www.icir.org/vern/papers/high-volume-ccs04.pdf .
Vern
More information about the bro-dev
mailing list