Help about Code

Hi,
   I want to start looking at BRO open source code.
Can anybody help how and where to start to make it
faster? Does anybody has control flow description
spec. (may be design spec)?
Thanks
--Raghu

Hi Raghu,

Hi,
   I want to start looking at BRO open source code.
Can anybody help how and where to start to make it
faster?

there's no obvious way to make Bro faster because there are so many ways
in which it can be configured to be slow :slight_smile: So first you should try to
understand why you believe it to be slow, and how you can adjust your
policy to speed things up.

Does anybody has control flow description
spec. (may be design spec)?

The following might help you:

  http://www.icir.org/twiki/bin/view/Bro/BroInternalsAug2004

However, for the latest you'll always have to look at the source code
yourself...

Cheers,
Christian.

Running doxygen on the code produces some nice graphs of Bro's class
hierarchy.

Robin

Raghu,

Bro usually spends most of its time in executing policy scripts (this, of course, depends on the configuration). And when it's too slow, my experience has been that it's often because some event is invoked too many times. Thus the first step I would take is to find out which events are invoked most frequently. There are a class of "high-risk" events, for example, tcp_packet, http_header, etc., that can easily be invoked too often and should be avoided when dealing with high volume live traffic.

The following might help you:

  http://www.icir.org/twiki/bin/view/Bro/BroInternalsAug2004

And Vern's original paper: ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz

However, for the latest you'll always have to look at the source code
yourself...

Exactly.

Ruoming