[Bro] SHA256 Hash File Analyzer

Ryan Stillions ryanstillions at hotmail.com
Fri Dec 30 08:00:35 PST 2016


I'm curious if anyone has this turned on at scale, on production systems?  If so, can you speak to the performance impacts Seth mentioned below?


Seth,

any thoughts if this would be the same with 2.5 as it was when you originally posted?   I didn't see anything specific about it in release notes, so would we be correct to assume the SHA256 analyzer would probably perform the same as what you saw back in Feb 16?


Thanks,

ryan


Sent from Outlook<http://aka.ms/weboutlook>


________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Shawn Homan <shawn.homan at gmail.com>
Sent: Thursday, February 11, 2016 5:39 PM
To: Seth Hall
Cc: bro at bro.org
Subject: Re: [Bro] SHA256 Hash File Analyzer

Thanks for the information. I have it turned on in my offline system, but not sure how to measure performance.

On Thu, Feb 11, 2016 at 10:40 AM, Seth Hall <seth at icir.org<mailto:seth at icir.org>> wrote:

> On Feb 10, 2016, at 4:55 PM, Shawn Homan <shawn.homan at gmail.com<mailto:shawn.homan at gmail.com>> wrote:
>
> I was wondering if anyone can tell me why the sha256 hash functionality isn't turned on by default for the files log.
>
> I am working on something and needed to turn it on. I normally only use Bro to process pcap files offline and have never used it on a live network.
>
> Does it cause performance issues?

When I was setting the default behavior a few years ago, I did some very weak testing and noticed that if I had md5 and sha1 turned on, the performance impact was ~1%, but it jumped up somewhere between 3-4% when I enabled SHA256.  That measurement should be revisited sometime soon though and perhaps even better measurements done to see if that performance impact is still there.

Generally though, there is nothing in place which is stopping you from enabling SHA256 file hashes.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161230/40c71e1a/attachment.html 


More information about the Bro mailing list