Node: Bro Policy Tuning, Previous: Hardware and OS Tuning, Up: Performance Tuning



Bro Policy Tuning

If the hardware and OS tuning solutions fail to bring your CPU load or memory consumption under control, next you will have to start turning off analyzers. Signatures are particularly CPU and memory intensive, so try turning it off or greatly reduce the number of signatures it is processing. The HTTP analyzers are also CPU intensive. For example, to turn off the HTTP reply analyzer, add the following lines at the beginning of the file $BROHOME/site/brohost.bro, before any @load commands.

     @unload http-reply
     

Another solution is to modify libpcap filter for Bro. This is done by adding restrict_filters. For example, to only capture SYN/FIN packets from a large web proxy, you can do this:

redef restrict_filters += { ["not proxy outbound Web replies"] = 
     "not (host bigproxy.mysite.net and
           src port 80 and (tcp[13] & 7 == 0))" };

This filter will allow you to record the number and size of the HTTP replies, but will not do further HTTP analysis.

Another way to reduce the CPU load of Bro analysis is to split the work across two Bro hosts. An easy way to do this is to take the sum of the source and destination IPs, and monitor even combinations on one host and odd combinations on a second host.

For example:

redef restrict_filters += { ["capture even src/dest pairs only"] = "(ip[12:4] + ip[16:4]) & 1 == 0" };