Bro - a general question

Is Bro 1.4 the first attempt to make a parallelizable IDS?
Would anyone know, offhand, what is the optimum number of worker nodes? and i think that might change with network speed?

I will be going through the paper, shortly.
but if anyone can reply with quick answer that would be helpful.


I think that the optimum number of worker nodes (the hosts actually sniffing traffic) is extremely site specific. Things that can make a big difference... Number of packets per second, total bps bandwidth, the hardware your worker nodes are using, the analysis you're choosing to do, etc. Those are just the few things I could think of the top of my head right now.

I'll describe my environment as an example. During the day we typically see upwards of 1.4 Gbps at just over 200K packets per second. We do full traffic analysis, our bpf filter is just "ip". We run the DPD (dynamic port detection) code, so we can identify protocols on any port. We run most of the "http-" suite of scripts (including my own custom scripts), causing the HTTP analyzer to be enabled which seems to be the most intense analyzer that Bro has. With all of this in mind, we don't drop packets for all intents and purposes.

We are currently running 6 2.4Ghz Core2 quad workers and another 8 or so 2.8Ghz pentium 4 workers. I consider this fairly reasonable because we purchased all of the 1U quad core hosts new at just under $650 each and the pentium 4s were free (but they can't process that much traffic because they have slow memory buses).

Currently, our plan for the future is to continue purchasing more hosts as the need (packet loss) arises. I think we should be able to scale reasonably well for quite some time with that strategy.