[
https://bro-tracker.atlassian.net/browse/BIT-1139?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15723#comment-15723
]
Jon Siwek commented on BIT-1139:
--------------------------------
topic/jsiwek/faster-mhr in just the bro repo. It's purely a change in Bro
scripts, so assigning to Seth to review, but general feedback also nice.
The problem is mostly w/ the fact that the "when" statement involved in the MHR
lookup ends up cloning a fa_file record, which is expensive. The change in the
branch sidesteps this by unrolling the needed fields from the fa_file record
before the scope of the "when" statement to avoid cloning the full data
structure.
I can see benefit in following up w/ a more robust answer to the potential cost
of "when" statements, but I'd rather not have to touch the serialization or
trigger code (at least for this release).
Also I don't get the comment in the ticket description about live operation
exhibiting different behavior. I'd expect it to be the same deal provided that
the live traffic includes enough files in
{{TeamCymruMalwareHashRegistry::match_file_types}} for the "when" stmt to
actually get hit.
> MHR lookups can cause significant CPU overhead in tests
> -------------------------------------------------------
>
> Key: BIT-1139
> URL: https://bro-tracker.atlassian.net/browse/BIT-1139
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Robin Sommer
> Assignee: Jon Siwek
> Fix For: 2.3
>
>
> Live operation seems fine, need to understand what's going on.
--
This message was sent by Atlassian JIRA
(v6.2-OD-10-004-WN#6253)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
