If the hardware and OS tuning solutions fail to bring your
CPU load or memory consumption under control, next you will
have to start turning off analyzers. Signatures are particularly CPU
and memory intensive,
so try turning it off or greatly reduce the number of signatures it
is processing. The HTTP analyzers are also CPU intensive. For example,
to turn off the HTTP reply analyzer, add the following lines to
$BROHOME/site/local.site.bro
@unload http-reply
Another solution is to modify libpcap filter for Bro. This is done
by adding restrict_filters
. For example, to only capture SYN/FIN
packets from a large web proxy, you can do this:
redef restrict_filters += { ["not proxy outbound Web replies"] = "not (host bigproxy.mysite.net and src port 80 and (tcp[13] & 7 == 0))" };
This filter will allow you to record the number and size of the HTTP replies, but will not do further HTTP analysis.