Bro currently follows a single-threaded model in which every incoming packet is first filtered, analyzed for protocol based on its signature (and not simply port-number) and then handled according to a user-defined policy for that protocol. While Bro provides mechanisms to distribute the processing of the handled policy events, the protocol analysis poses a performance bottleneck in that it might not be able to keep up with the speed of incoming packets.
In Bro's signature matching engine, connections sometimes trigger more than one signature and so can not be immediately associated with a protocol. But as more connection packets arrive, a better decision about the protocol involved can be made. During this process, different protocol analyzers may be spawned and killed until finally the right protocol is arrived at. Regular expression matching is done here to match signatures.
I believe that GPUs can be used here to perform parallel signature matching by different protocol analyzers, thus speeding up the protocol analysis phase. With this, Bro would be able to operate at a higher packet rate than it does now.
If this is true, I would like to do this. I will appreciate if you could share your thoughts.
Snort's packet processing throughput increased by 60% with the use of GPUs ( http://www.springerlink.com/content/b3m7662014272t8m/ ) and Suricata has plans to introduce GPUs ( http://blog.securitymonks.com/2010/08/26/three-little-idsips-engines-build-their- open-source-solutions/ ).