[Bro] Signature Matching Performance
Seth Hall
seth at icir.org
Fri May 4 00:04:46 PDT 2012
On May 4, 2012, at 2:41 AM, Chris wrote:
> - properly anchor the signatures rather than prefixing them with ".*" This seems to be the critical point in my situation. So if you have ideas how to resolve this without giving up matching at arbritrary positions.... ;)
Could you give us some example signatures? If they have private data in them, you could defang them a little bit, I'm only asking so that we can see more about how you are using signatures. In general though, lots of signatures with .* at the beginning are going to be really, really bad.
> - clusters of Bro instances
That's always an option, but it may be more worthwhile to find out if you are using signatures for an appropriate task first. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list