I was thinking one way to gracefully address performance issues might be to say that bro would be allowed to spend X cycles processing a specific packet, where X was a number determined by examining e.g. the current state of the network buffer + the historical packet rate / size. Enforcing a cut-off after X cycles could provide a way to dynamically scale the depth of the analysis to cope with additional load in lieu of completely dropping packets.
Could be that this is a terrible idea, but was just doing some homework / reading and thought I'd ask to see if anyone could point me to work along these lines (or possibly explain why the ideas are not good ones :). Regardless, thank you for taking the time to follow up! Cheers, Gilbert On 9/28/2014 1:25 PM, Vern Paxson wrote: > Can you sketch your use case? Different concerns (in particular, adversarial > threats versus performance problems) have different implications. _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev