any experience on BRO into hardware

Hi All

Just wondering if someone has an experience compiling Bro into Hardware?

Thanks

Jules wrote:

Hi All

Just wondering if someone has an experience compiling Bro into Hardware?

Thanks

Not only have I had Bro running on Windows, but I have also gotten it to
run on a commodity Linksys router under the openwrt linux distribution.
I believe Jason has tinkered with it a bit and put some of the info up
at: http://www.dsd.lbl.gov/~jason/openwrt/

Hi Jim

Thanks for the quick reply.

I am not sure if I got what you mean in your reply. What I actually meant is
to integrate Bro into the hardware itself and not configuring Bro to work
with a particular hardware.

Thanks.

There is even more info up on www.bro-ids.org/linksys.html

Jim Mellander wrote:

Jules wrote:

Hi All

Just wondering if someone has an experience compiling Bro into Hardware?

Thanks

------------------------------------------------------------------------

_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Are you asking about some sort of pcap/bpf in hardware offloading, an
actual implementation of bro on dedicated hardware (like an ASIC), or
something else?

thanks!

scott

Hi Scott

That's what I meant. I was talking about something like ASIC or FPGA.

thanks

There have been a number of efforts along these lines, but most of them
have focused less on taking the entire bro entity (or more likely the
event engine side) and punting it all into hardware.

In no particular order, you may want to look at:

http://www.icir.org/vern/papers/hotsec06.pdf

also Nick Weaver at ICIR may have some insight.

There has been significantly more work done on taking the bpf burden off
a host and running that in hardware. There are several different
companies that have products for this, but one that I have personal
experience with is the Force 10 P10 device. There is also a 1 gig
version as well.

In general I suspect that there is less to gain by running the entire
application on ASIC - there is still a considerable burden associated
with memory bandwidth and state maintenance. On the other hand if a
more knowledgeable person on this list has a different opinion, I would
be happy to recant.

Hopefully this is a little helpful?

thanks,

scott

Jules wrote:

In no particular order, you may want to look at:

http://www.icir.org/vern/papers/hotsec06.pdf

We now have a paper available on a different approach, Shunting (with which
you Scott are of course already familiar):

  http://www.icir.org/vern/papers/shunt-fpga-2007.pdf

- Vern

Thanks Vern for the new link (the second link). I have read the first paper
already and it was interesting. Only the title of the new paper sounds good.

Jules