[Bro] Bro performance issues
William Jones
jones at tacc.utexas.edu
Wed Nov 2 16:21:09 PDT 2011
Something changed in the way packet filters work on 2.0 Bata bro. It does not seem to have the old behavior.
What I wont is the ability to set a filter per work. That way I could write I could spread the tcp load for ip and iptv6 acros n works and run a n+1 work that take care of the no ip traffic.
Bill Jones
-----Original Message-----
From: bro-bounces at bro-ids.org [mailto:bro-bounces at bro-ids.org] On Behalf Of William Jones
Sent: Wednesday, November 02, 2011 4:32 PM
To: 'Seth Hall'
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
Nice!
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Wednesday, November 02, 2011 2:58 PM
To: William Jones
Cc: 'Tomer Teller'; bro at bro-ids.org
Subject: Re: [Bro] Bro performance issues
On Nov 2, 2011, at 3:41 PM, William Jones wrote:
> Try the following pcap filtering trick:
> [worker-1]
> type=worker
> host=localhost
> interface=em0
> aux_scripts=q1of2
Nice one!
In the 2.0-beta you don't even need to define that aux_scripts field either. You should be able to just make files named worker-1.local.bro and worker-2.local.bro in your <prefix>/share/bro/site/ directory and they will automatically get loaded by the correct nodes.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list