[Bro] Multiple bro nodes
christian at whoop.org
Thu Feb 1 11:46:24 PST 2007
On Wed, 2007-01-31 at 22:01 +0800, CS Lee wrote:
> I haven't seen any discussion on this matter yet, while I have heard
> how bro developers fully utilize bro-ids system.
> What's the good and standard management and maintenance process when
> one deploy multiple bro-ids nodes in the site? This is tricky, as most
> of security admins always have their own way of administration, but I
> would like to know how bro-ids developers such as Vern, Christian or
> Robin doing it or others who would like to share the idea.
I'm afraid there really is no definitive answer to this. It depends on
the particular purpose of your distributed installation -- what events
would you like to distribute, how big do you picture your network of Bro
nodes to be, how sensitive are those (do you need to encrypt the
> How are the analysis and correlation process that can be done through
> multiple bro-ids node?
All information is exchanged in the form of events. By writing suitable
event handlers, you can perform arbitrary forms of analysis/aggregation/
correlation on the events through the use of state tables and other
typical Bro language features. (Note also that you can define multiple
event handlers per event type, and that there is some meta-information
on events available via built-in functions, such as is_remote_event().)
> I know bro-ids documentation is improving especially after wiki is
> launched. But I still hardly find the answer for the questions above.
> I would like to know how it is done practically.
We're aware that documentation of the Bro communication features is
sorely lacking. We're in the process of wikifying our documentation in
the hope that it'll be easier for us to update it as the need arises. As
always, scarcity of time is the main hurdle. :( The Broccoli manual has
a reasonable level of detail on how to configure communicative setups.
More information about the Bro