[Bro-Dev] Bro + real-time question
Clark, Gilbert
gc355804 at ohio.edu
Sun Sep 28 20:54:26 PDT 2014
That makes sense. I'll go ahead and read through that paper.
Thanks for the reference!
-Gilbert
________________________________________
From: Vern Paxson <vern at ICIR.org>
Sent: Sunday, September 28, 2014 7:57 PM
To: Clark, Gilbert
Cc: bro-dev at bro.org
Subject: Re: [Bro-Dev] Bro + real-time question
For performance concerns, it's not clear that individual packets are the
right granularity to examine. For example, if you stop processing one
packet you might be giving up on any subsequent analysis for the remainder
of its flow, which can have a large amplifying effect (or not) depending
on the size of the flow.
For a different approach to the problem, see section 5.3 ("Dynamically
controlling packet load") in the Operational Experiences paper,
http://www.icir.org/vern/papers/high-volume-ccs04.pdf .
Vern
More information about the bro-dev
mailing list