[Bro] Bro 2.0 packets dropped

[William Jones]

There is a relative new behavior from the scanners.   In order are to work around the automatic scan blocking they have increased the scan rate to so that they can scan 30K-60K address in a second.   This make bro go compute bound, I think it do to creating a recorded for each connection pair,  and it cannot keep up.   

Using PF_RING helps but not all attach hash well and one worker can be be overwhelmed.

Has anyone else seeing this new behavior. 

Bill Jones