Tuesday, June 27, 2006

Bro-IDS - Signature Matching

Lately I have deployed a testing box on 30Mbps link by using Bro-IDS, apparently it is a small monster when running with default setting. Today I started to turn on the signatures matching engine. Guess what !!!!! The small monster starts to become hulk, let's see how it goes -

PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
546 bro 1 -58 0 166M 164M bpf 80:40 81.42% bro

It seems that it is not a good idea to turn the signature matching engine on since it consumes too much processing power, I would rather having snort instance running for signatures matching and bro running as protocol analyzer indeed. Anyway it's up to you.

F34R teh Hulk!!!!!

Peace :]

3 comments:

Anonymous said...

Yeah it's true. Snort handles signature very well and impressive. :)

C.S.Lee said...

james,

Right tool for the right job!!!!!

Happy snorting

Anonymous said...

just a couple of questions/comments:
1) what version of bro were you using? 0.8,0.9, 1.0, 1.1, 1.2 ?
2) by "default settings" I'm assuming that you mean every policy turned on...
lastly one comment on snort vs bro
in rather large pipes I have found that bro 1.x with the current list of snort vrt rules runs faster in bro than it does in snort 2.6.x. The large processing may be due to the loading of all policies and not the signature engine rules..

Just a thought,

Anonymous bro user