I'm curious if anyone has this turned on at scale, on production systems? If so, can
you speak to the performance impacts Seth mentioned below?
Seth,
any thoughts if this would be the same with 2.5 as it was when you originally posted? I
didn't see anything specific about it in release notes, so would we be correct to
assume the SHA256 analyzer would probably perform the same as what you saw back in Feb
16?
Thanks,
ryan
Sent from Outlook<http://aka.ms/weboutlook>
________________________________
From: bro-bounces(a)bro.org <bro-bounces(a)bro.org> on behalf of Shawn Homan
<shawn.homan(a)gmail.com>
Sent: Thursday, February 11, 2016 5:39 PM
To: Seth Hall
Cc: bro(a)bro.org
Subject: Re: [Bro] SHA256 Hash File Analyzer
Thanks for the information. I have it turned on in my offline system, but not sure how to
measure performance.
On Thu, Feb 11, 2016 at 10:40 AM, Seth Hall
<seth@icir.org<mailto:seth@icir.org>> wrote:
On Feb 10, 2016, at 4:55 PM, Shawn Homan
<shawn.homan@gmail.com<mailto:shawn.homan@gmail.com>> wrote:
I was wondering if anyone can tell me why the sha256 hash functionality isn't turned
on by default for the files log.
I am working on something and needed to turn it on. I normally only use Bro to process
pcap files offline and have never used it on a live network.
Does it cause performance issues?
When I was setting the default behavior a few years ago, I did some very weak testing and
noticed that if I had md5 and sha1 turned on, the performance impact was ~1%, but it
jumped up somewhere between 3-4% when I enabled SHA256. That measurement should be
revisited sometime soon though and perhaps even better measurements done to see if that
performance impact is still there.
Generally though, there is nothing in place which is stopping you from enabling SHA256
file hashes.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/