[Bro] Yet Another Conference - like no other :)

Michal Purzynski michal at rsbac.org
Mon Oct 21 12:06:35 PDT 2013


> >
> > Slides from my recent talk about NSM @ Mozilla at YaC 2013 are here, a
> > full video will hopefully follow.
> >
> > http://tech.yandex.ru/events/yac/2013/talks/1131/
> >
>
> Nice presentation, it confirms a few things I was suspecting :-)
>
> I see you are logging to elasticsearch from Bro... have you taken a 
> look at Moloch for full packet capture? It's not included in Security 
> Onion (yet?) but we have played with it at work and we're now 
> budgeting for Moloch boxes. Moloch just recently added support for 
> pfring as well, and from the mailing list I saw someone posting that 
> they were using pfring with success. It does a really good job of 
> indexing packet captures and has some protocol decoders built in... 
> I've found I don't even need to pull a pcap out of it half the time 
> because I get a clear picture from Moloch's web interface
>
> https://github.com/aol/moloch is their Github site
>
>
Replacing netsniff-ng with anything else is possible here, but I don't 
feel like I need it - SO has a great integration between pcap agent, 
ELSA and Bro. I can go to ELSA, find the flow I need and request a 
transcript - simple and very effective.

As for the metadata and data about my flows, content, protocol decoders, 
scripting - I would not change Bro for a 1024 kg of pure gold, if that's 
what you are asking :)



More information about the Bro mailing list