[Bro] Multi-threading

Sunjeet Singh sstattla at gmail.com
Fri Oct 22 11:56:46 PDT 2010


Thanks for sharing the link to the paper, it made an interesting read. 
This paper does a great job of explaining the concepts involved, even 
for someone like myself who doesn't have a background in parallel computing.

Clearly, an IDS architecture that separates protocol analysis and event 
handling can employ this technique to improve performance. And so this 
can be used for Bro. But, you'd need a working ANI.
I don't know how recently this paper was written, but when we're talking 
about today, where does ANI fit in, in hardware, and if not implemented 
as custom hardware then as a small program running in a core " if a 
multicore fabric includes embedded network resources" (like UltraSPARC T2)?

I couldn't figure out how recently this paper was written (2007-08?), 
and so while reading this paper I couldn't help but think about this 
very basic question-
Today, if I'm using Bro as the Host-based IDS on my machine, and if I 
find that Bro is not being able to keep up with the incoming packet 
rate, what are some steps that I should take?


Thank you,
Sunjeet Singh


On 10-10-20 2:12 PM, Robin Sommer wrote:
> Sorry for the delay.
>
> On Fri, Oct 08, 2010 at 16:39 -0700, Sunjeet Singh wrote:
>
>> Can someone please comment on the current status of multi-threading in
>> Bro? I would be interested in doing some work here.
> We have a proof-of-concept implementation of a multi-threaded Bro.
> Even though still an early prototype, it already improves Bro's
> performance quite a bit on multi-core systems and demonstrates that
> the approach works quite well. However, this prototype still has a
> number of limitations and is not yet usable from an operational
> perspective. There are also a number of different routes we could go
> from here, which aren't fully clear yet in their specifics.
>
> For more background, the most current description of the prototype
> is here:
>
>       http://www.icir.org/robin/papers/cc-multi-core-icast.pdf
>
> Section V. describes the parallelization approach, and Section VI.
> presents some preliminary measurements. (Section I-IV are on a more
> conceptual level; not all of that is directly reflected in Bro).
>
> A limiting factor for moving this forward right now is available
> time, so help and contributions would certainly be welcome. Is there
> anything specific you're thinking about? (I saw your mail about
> GPUs, will reply to that in a bit).
>
> Robin
>




More information about the Bro mailing list