hello :
firstly, I am sorry for my english .
I have some questions on bro:
1. I see the introduction in bro overview: Bro targets high-speed
(Gbps). I am surprised and doubt it.
bro captures packets through libpcap and BPF filter,but libpcap
isn't high performance.
that's the reason why zero copying and DMA tech are used in IDS field.
bro analyses events by policy scripts.there is a problem that
script's performance is lower than binary
programs.I didn't test bro's performance , maybe I am wrong.
2. I konw bro supports to define signature in regular expression.I
want to konw how does bro support
regular expressions: by perl or do it yourself.
3. Is there realtime alarm function in bro? I sometimes want to
see the current network status on
screen,instead of viewing bro's report file.
many many thinks