[Bro] Bro and Snort together

Michał Purzyński michalpurzynski1 at gmail.com
Fri Oct 16 14:33:11 PDT 2015


Sure. Take a look at securityonion or do it yourself. Works with pfring and
(soon)  afpacket.

On Fri, Oct 16, 2015, 20:03 Jason Williams <jwilliams at emergingthreats.net>
wrote:

> I've had instances where i have used zbalance_ipc to help load balance
> larger links for moloch. You can also use zbalance_ipc to create duplicate
> zc streams that you can attach different processes to. I run bro / suri on
> the same interface and haven't seen issues in operation.
>
> On Fri, Oct 16, 2015 at 11:16 AM, Chris Williams <cw13 at umbc.edu> wrote:
>
>> Is it possible to do this with multiple instances of pf_ring?
>> On Oct 16, 2015 12:13 PM, "Donaldson, John" <donaldson8 at llnl.gov> wrote:
>>
>>> Vito,
>>>
>>> We're running Bro and Snort in parallel, but we're using DAG cards to
>>> duplicate streams to Bro and Snort processes, so our performance
>>> characteristics are a bit different. In general, though, it really
>>> depends
>>> on how you manage the traffic that you're throwing at both, and how many
>>> rules you have enabled in Snort. It *is* possible to keep packet loss
>>> manageable, running them in parallel, but you'll have to trim down what
>>> you have Snort running.
>>>
>>>
>>> John Donaldson
>>>
>>>
>>>
>>> On 10/16/15, 10:31 AM, "bro-bounces at bro.org on behalf of Vito Logrillo"
>>> <bro-bounces at bro.org on behalf of vitologrillo at gmail.com> wrote:
>>>
>>> >Hi all,
>>> >Anyone have used Bro and Snort together to the same live traffic?
>>> >If yes, any suggestion?
>>> >For example, is it possible to send the same traffic to snort and bro
>>> >without packet loss?
>>> >Thanks
>>> >_______________________________________________
>>> >Bro mailing list
>>> >bro at bro-ids.org
>>> >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151016/6445e053/attachment.html 


More information about the Bro mailing list