[Bro] spicy performance question
Troy Jordan
troyj at maine.edu
Tue Jun 7 19:21:07 PDT 2016
Spicy devs,
Since Spicy is still in development, is it to be expected that a
Spicy-based Bro parser would perform significantly slower than an
existing .pac parser of the same protocol?
In my particular testing environment, the pac-baseed modbus parser
processes 99% of a given modbus trace file when replayed at a specific
speed with tcpreplay (logging enabled).
The attached parser is a minimal modbus parser in Spicy which processes
< 50% of the same file (no logging enabled). Is this to be expected?
- Troy
--
Troy Jordan
t r o y j @ m a i n e . e d u
GIAC GCIH,GCIA
------------------------------------------------------------
Network Systems Security Analyst
Information Technology Security Office
University of Maine System
------------------------------------------------------------
233 Science Building | voice: 207.561.3590
Portland, ME 04103 | fax: 509.351.3650
"As you all know, Security Is Mortals chiefest Enemy"
William Shakespeare, Macbeth
-------------- next part --------------
module MODBUS;
import Bro;
# MessageStream: a list of Messages
export type MessageStream = unit {
Messages : list<Message> ;
};
#
# Header:
#
export type ModbusHeader = unit {
trans : uint<16> ;
proto : uint<16> ;
len : uint<16> ;
unitId : uint<8> ;
};
#
# Message:
#
export type Message = unit {
header : ModbusHeader;
fcode : uint8;
payload: bytes &length=self.header.len - 2;
};
-------------- next part --------------
grammar modbus.pac2;
protocol analyzer pac2::MODBUS over TCP:
parse with MODBUS::MessageStream,
port 502/tcp,
replaces MODBUS;
More information about the Bro
mailing list