Node: Bro Policy Tuning, Previous: Hardware and OS Tuning, Up: Performance Tuning



Bro Policy Tuning

If the hardware and OS tuning solutions fail to bring your CPU load or memory consumption under control, next you will have to start turning off analyzers. Signatures are particularly CPU and memory intensive, so try turning it off or greatly reduce the number of signatures it is processing. The HTTP analyzers are also CPU intensive. For example, to turn off the HTTP reply analyzer, add the following lines to $BROHOME/site/local.site.bro

     @unload http-reply
     

Another solution is to modify libpcap filter for Bro. This is done by adding restrict_filters. For example, to only capture SYN/FIN packets from a large web proxy, you can do this:

redef restrict_filters += { ["not proxy outbound Web replies"] = 
     "not (host bigproxy.mysite.net and
           src port 80 and (tcp[13] & 7 == 0))" };

This filter will allow you to record the number and size of the HTTP replies, but will not do further HTTP analysis.