[Bro] Bro and Snort together

Michael Shirk shirkdog.bsd at gmail.com
Fri Oct 16 10:42:00 PDT 2015

On FreeBSD, I have created a script that sets up Bro+Snort with pulledpork
so you can test:


The key thing will be your specific use case for Bro+Snort as others have
mentioned, but with this install, you can tune down the Snort rules.

Michael Shirk
Daemon Security, Inc.

We're running Bro and Snort in parallel, but we're using DAG cards to
duplicate streams to Bro and Snort processes, so our performance
characteristics are a bit different. In general, though, it really depends
on how you manage the traffic that you're throwing at both, and how many
rules you have enabled in Snort. It *is* possible to keep packet loss
manageable, running them in parallel, but you'll have to trim down what
you have Snort running.

John Donaldson

On 10/16/15, 10:31 AM, "bro-bounces at bro.org on behalf of Vito Logrillo"
<bro-bounces at bro.org on behalf of vitologrillo at gmail.com> wrote:

>Hi all,
>Anyone have used Bro and Snort together to the same live traffic?
>If yes, any suggestion?
>For example, is it possible to send the same traffic to snort and bro
>without packet loss?
>Bro mailing list
>bro at bro-ids.org

Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151016/cebf840a/attachment.html 

More information about the Bro mailing list