If the hardware and OS tuning solutions fail to bring your
CPU load or memory consumption under control, next you will
have to start turning off analyzers. Signatures are particularly CPU
and memory intensive,
so try turning it off or greatly reduce the number of signatures it
is processing. The HTTP analyzers are also CPU intensive. For example,
to turn off the HTTP reply analyzer, add the following lines at the beginning
of the file $BROHOME/site/brohost.bro
, before any @load commands.
@unload http-reply
Another solution is to modify libpcap filter for Bro. This is done
by adding restrict_filters
. For example, to only capture SYN/FIN
packets from a large web proxy, you can do this:
redef restrict_filters += { ["not proxy outbound Web replies"] = "not (host bigproxy.mysite.net and src port 80 and (tcp[13] & 7 == 0))" };
This filter will allow you to record the number and size of the HTTP replies, but will not do further HTTP analysis.
Another way to reduce the CPU load of Bro analysis is to split the work across two Bro hosts. An easy way to do this is to take the sum of the source and destination IPs, and monitor even combinations on one host and odd combinations on a second host.
For example:
redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };