[Bro] [EXTERNAL] Re: Downside to using -b?
Thomas, Eric D
edthoma at sandia.gov
Mon Sep 16 06:53:40 PDT 2013
Terrific, thanks!
--
Eric Thomas
edthoma at sandia.gov
On 9/15/13 6:56 PM, "Seth Hall" <seth at icir.org> wrote:
>On Sep 13, 2013, at 6:46 PM, "Thomas, Eric D" <edthoma at sandia.gov> wrote:
>>
>> From what I can tell, not loading base/loading init-default.bro (using
>>the -b option) significantly improves performance, particularly if you
>>are not enabling a bunch of different kinds of analysis. Assuming my
>>local.bro loads the base scripts it needs for processing, is there any
>>reason why I wouldn't use -b?
>
>Hi Eric :)
>
>There's no reason not to use -b if you actually don't want that stuff
>enabled. Generally speaking, the only thing that should be consuming
>processing time in the normal mode is the protocol analysis. Everything
>else feeds off of that so the rest of the code that gets loaded shouldn't
>actually be getting executed (for the most part).
>
>We made the decision to enable so many things by default for the 2.0
>release because we wanted Bro to be extremely easy to run (to shed the
>past reputation of Bro being difficult to run). My goal to make it
>easier to run than tcpdump and I think we achieved that (bro -r
>packets.pcap). The -b option was our way to leave the door open for more
>enterprising users to truly customize things as they wanted while still
>making Bro do a lot by default.
>
> .Seth
>
>--
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network
>http://www.bro.org/
>
>
More information about the Bro
mailing list