[Bro] Software frontend
sstattla at gmail.com
Fri Dec 10 11:57:46 PST 2010
> Definitely an interesting idea though.
Thank you. Like you mention, there's really multiple directions in which
this can go.
For passive analysis and for live traffic, where you're sending traffic
from your enterprise into the cloud for analysis, there would be
significant price involved if all packets were sent as-is. One can
imagine a more optimal setting where event-analysis can be done locally
and only the batched events are sent to the event-handler stage that
runs on the cloud.
Another idea and the one that I have in mind is that everything runs on
the cloud, even your enterprise. This makes much more sense. A cloud
provider can have a Bro Instance (like the existing Snort instance
) sitting in front of their cloud network or simply cloud web server.
More information about the Bro