[Bro] Infrastructure with Bro and SDN-capable switch

Seth Hall seth at icir.org
Mon Nov 10 06:48:23 PST 2014

> On Nov 10, 2014, at 7:52 AM, just2 at arcor.de wrote:
> Goal is to reduce packet drops in IDS by installing a SDN-capable switch which filters and only redirects suspicious content to the IDS, thus reducing workload on the IDS and therefore packet drops.

This is something that people in our community are already starting to do except that it's typically done backwards from what you are describing.  All traffic is directed to the IDS until the IDS decides that it doesn't want to see it anymore and then it is "shunted" on the switch (or at other locations).

In my opinion, doing the opposite isn't possible because what is deciding what's suspicious?  That sounds like the job of an IDS. ;)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list