[Bro] Use of GPUs for signature matching?

Vern Paxson vern at icir.org
Tue Oct 26 08:19:42 PDT 2010


> for the few
> true pattern matching activities Bro has to do, there's plenty of CPU
> to spare

Right.

> but for script execution such as going to time-machine,
> extracting files from pcap, etc., you're running out of CPU.

Yes in general for script execution, though that usually doesn't involve
the Time Mchine or pcap files.

> So if you're running into a performance challenge with the scripting
> language, would you consider switching from the native Bro scripting
> language to an embedded interpreter from something like Perl, Python,
> or Lua?

No, because we view Bro's domain-specific language as a big plus.

> With the
> increase in number of CPU cores climbing exponentially, a small
> performance hit would probably be acceptable if it can be offset by
> running on multiple cores.

Note, we have a major project on multicore network security analysis, which
focuses on Bro.  So this is definitely on our radar.  Here, having a
domain-specific language can be a significant win, since we can leverage
particular semantics for optimization that we could't if we used a general
interpreter.

> I think a well-known script language would
> also be a lot less scary for newcomers to Bro and really increase its
> user base.

I wonder if it's the particulars of the language.  Bro's scripting language
isn't itself that peculiar or hard to pick up.  What gets harder is (1)
the large set of predefined events, (2) langauge quirks in support of things
like state management (but we'd need those anyway), (3) the lack of adequate
"here's the overall model" and "here's the paradigm for XYZ" documentation -
which we're definitely aiming to fix.

		Vern



More information about the Bro mailing list