My company is in the process of porting ntop ( www.ntop.org ) to a hardware acceleration platform. After this, we'd like to do the same for BRO as an experiment.
I'm curious to know if there is a standard suite of tests used to benchmark BRO? Our goal is to baseline BRO on commodity hardware then run the same tests on the accelerated platform. We have ideas on how to do this, but we're certainly open to suggestions -- especially from those intimately familiar with BRO.
No, we don't have any performance benchmark. We did some performance
measurements in the past on traces (see http://www.icir.org/robin/papers/ccs04.pdf), but I'd suppose that
you guys are more interested in live traffic.
In general, when doing measurements with Bro, it is important to
keep in mind that performance depends a *lot* on the actual
configuration. Bro internally applies various schemes to only
perform types of analysis which are actually required for the given
setup.