[Bro] Emerging Threats signatures on Bro ids ?
rmkml
rmkml at yahoo.fr
Tue Aug 14 17:16:06 PDT 2012
Hi,
ok I have advance my performance penalty, simply disable "packet_contents" and "entity_data", results my performance go to 40%-45%...
(download one file size 1.9Go with wget multiple times)
good news.
Anyone tested partial ET open-gpl on live trafic please ?
Regards
Rmkml
On Mon, 13 Aug 2012, rmkml wrote:
> Thx you for reply Seth,
>
> ok I have started very small bench on my local network: (wget, one cnx)
>
> -without et_bro2_11aug, download http at --limit-rate=85m, bro cpu around
> (top) 40%-45%
>
> -all sigs et_bro2_11aug, download http at --limit-rate=85m, bro cpu around
> (top) 75%-90%
>
> -disabled only "packet_contents" on et_bro2_11aug, download http at
> --limit-rate=85m, bro cpu around (top) 75%-90%
>
> -disabled only "entity_data" on et_bro2_11aug, download http at
> --limit-rate=85m, bro cpu around (top) 75%-90%
>
> -disabled only "dns_request" on et_bro2_11aug, download http at
> --limit-rate=85m, bro cpu around (top) 75%-90%
>
> -disabled only "http_header" on et_bro2_11aug, download http at
> --limit-rate=85m, bro cpu around (top) 75%-90%
>
> -disabled only "http_request" on et_bro2_11aug, download http at
> --limit-rate=85m, bro cpu around (top) 75%-90%
>
> well, no special sig penalty.
>
>
> I have discovered one pb on my case: in ids mode, bro not fire immediatly,
> after 5mn not fire, fire only when I kill bro, it's possible to fire
> immediatly on my rule set please?
>
> Best Regards
> Rmkml
>
>
>
> On Mon, 13 Aug 2012, Seth Hall wrote:
>
>>
>> On Aug 13, 2012, at 12:38 PM, "rmkml at yahoo.fr" <rmkml at yahoo.fr> wrote:
>>
>>> Anyone tested please?
>>> What's performance impact? (only 33sigs)
>>
>> There are a number of potential and definite problems.
>>
>> - For each http_request event, you are doing a lot of if & if else
>> statements which *could* impact performance.
>>
>> - For each http header you are similarly doing a lot of if statements which
>> will almost certainly cause a performance impact.
>> Also, you are accessing collected state in the c$http record when you
>> should probably be using the name and value variables directly.
>> If you want to look through data before things are logged, your best bet
>> is to use the HTTP::log_http logging framework event.
>>
>> - Again, lots of if statements for every dns request is probably going to
>> have a severe performance impact.
>>
>> - For every single chunk of http entity data, you are running lots of if
>> statements with pattern conditions again.
>> �
>> - Handling the packet_contents event at all is generally really bad. The
>> auto-generated documentation even comments on the fact that using that
>> event is not really feasible for any traffic volume:
>> http://www.bro-ids.org/documentation/scripts/base/event.bif.html?highlight=packet_contents#id-packet_contents
>>
>>
>> This is one of the interesting things about Bro. Due to it primarily being
>> a programming language, you can absolutely do things that will negatively
>> impact performance and break other analysis. So like any other language
>> you have to constantly be aware of what you are doing and the potential
>> impacts. We are actively working now to make it possible for you and
>> others to do these detections more easily and with less potential
>> performance impact. Unfortunately we're still at the very beginning of a
>> newly-found operational security engineering focus so this stuff is taking
>> a bit longer than most people would like (me included!).
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>>
>
More information about the Bro
mailing list