[Bro] Emerging Threats signatures on Bro ids ?
rmkml
rmkml at yahoo.fr
Mon Aug 13 14:29:32 PDT 2012
Thx you for reply Seth,
ok I have started very small bench on my local network: (wget, one cnx)
-without et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 40%-45%
-all sigs et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
-disabled only "packet_contents" on et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
-disabled only "entity_data" on et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
-disabled only "dns_request" on et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
-disabled only "http_header" on et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
-disabled only "http_request" on et_bro2_11aug, download http at --limit-rate=85m, bro cpu around (top) 75%-90%
well, no special sig penalty.
I have discovered one pb on my case: in ids mode, bro not fire immediatly, after 5mn not fire, fire only when I kill bro, it's possible to fire immediatly on my rule set please?
Best Regards
Rmkml
On Mon, 13 Aug 2012, Seth Hall wrote:
>
> On Aug 13, 2012, at 12:38 PM, "rmkml at yahoo.fr" <rmkml at yahoo.fr> wrote:
>
>> Anyone tested please?
>> What's performance impact? (only 33sigs)
>
> There are a number of potential and definite problems.
>
> - For each http_request event, you are doing a lot of if & if else statements which *could* impact performance.
>
> - For each http header you are similarly doing a lot of if statements which will almost certainly cause a performance impact.
> Also, you are accessing collected state in the c$http record when you should probably be using the name and value variables directly.
> If you want to look through data before things are logged, your best bet is to use the HTTP::log_http logging framework event.
>
> - Again, lots of if statements for every dns request is probably going to have a severe performance impact.
>
> - For every single chunk of http entity data, you are running lots of if statements with pattern conditions again.
> �
> - Handling the packet_contents event at all is generally really bad. The auto-generated documentation even comments on the fact that using that event is not really feasible for any traffic volume:
> http://www.bro-ids.org/documentation/scripts/base/event.bif.html?highlight=packet_contents#id-packet_contents
>
>
> This is one of the interesting things about Bro. Due to it primarily being a programming language, you can absolutely do things that will negatively impact performance and break other analysis. So like any other language you have to constantly be aware of what you are doing and the potential impacts. We are actively working now to make it possible for you and others to do these detections more easily and with less potential performance impact. Unfortunately we're still at the very beginning of a newly-found operational security engineering focus so this stuff is taking a bit longer than most people would like (me included!).
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list