[Bro] Bro and Snort together
jwilliams at emergingthreats.net
Fri Oct 16 10:44:41 PDT 2015
I've had instances where i have used zbalance_ipc to help load balance
larger links for moloch. You can also use zbalance_ipc to create duplicate
zc streams that you can attach different processes to. I run bro / suri on
the same interface and haven't seen issues in operation.
On Fri, Oct 16, 2015 at 11:16 AM, Chris Williams <cw13 at umbc.edu> wrote:
> Is it possible to do this with multiple instances of pf_ring?
> On Oct 16, 2015 12:13 PM, "Donaldson, John" <donaldson8 at llnl.gov> wrote:
>> We're running Bro and Snort in parallel, but we're using DAG cards to
>> duplicate streams to Bro and Snort processes, so our performance
>> characteristics are a bit different. In general, though, it really depends
>> on how you manage the traffic that you're throwing at both, and how many
>> rules you have enabled in Snort. It *is* possible to keep packet loss
>> manageable, running them in parallel, but you'll have to trim down what
>> you have Snort running.
>> John Donaldson
>> On 10/16/15, 10:31 AM, "bro-bounces at bro.org on behalf of Vito Logrillo"
>> <bro-bounces at bro.org on behalf of vitologrillo at gmail.com> wrote:
>> >Hi all,
>> >Anyone have used Bro and Snort together to the same live traffic?
>> >If yes, any suggestion?
>> >For example, is it possible to send the same traffic to snort and bro
>> >without packet loss?
>> >Bro mailing list
>> >bro at bro-ids.org
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro