[Bro] policy event engine
Robin Sommer
robin at icir.org
Fri Jan 21 09:54:36 PST 2011
There's actually one more aspect to this: while Bro's timers are not
precise, in typical situations they are also not *that* imprecise as
you are observing here with tables. The reason here is that table
expiration is actually done in batches: there's not a an individual
timer per element (in which case expiration would be more timely),
but one per *table*. Every time that one first, a certain number of
table elements is checked to see whether they have already
expired---which is why you're seeing expirations occuring in
discrete intervals. You can fine-tune the specifics of this process
with the parameters table_expire_interval, table_incremental_step,
and table_expire_delay; see policy/bro.init.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list