[Bro-Dev] bloomfilter_counting_init parameterization ?

Aashish Sharma asharma at lbl.gov
Tue May 3 00:25:57 PDT 2016


So I am trying to use bloomfilter_counting_init for keeping a count of uniq IPs seen within a subnet and instead of relying on a table or a set, I was toying with an idea of using bloomfilter_counting_init. 

However, I am not clear on the parameterization below:

global bloomfilter_counting_init: function(k: count , cells: count , max: count , name: string &default=""): opaque of bloomfilter ;

What should be the length of the cells for storing 65536 IPs ? 

Is k=3 a good value or I need something else ? Could someone elaborate on how to decide these parameters. 

I looked at /btest/bifs/bloomfilter.bro but not quite clear.

thanks, 
Aashish 


On Mon, Apr 11, 2016 at 08:26:37AM -0700, Matthias Vallentin wrote:


More information about the bro-dev mailing list