[Bro] Multiple bro nodes

scott campbell scampbell at lbl.gov
Thu Feb 1 14:25:26 PST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are some notes and ideas regarding inter-bro communication (and
how it can be configured) here:

http://www.nersc.gov/~scottc/

particularly,

http://www.nersc.gov/~scottc/software/bro/broToBro.html

As well, the bro conference presentations have some information
regarding this as well.  Soon this will all make it to the wiki...

thanks!

scott


Christian Kreibich wrote:
> Hi there,
> 
> On Wed, 2007-01-31 at 22:01 +0800, CS Lee wrote:
>> Hi,
>>
>> I haven't seen any discussion on this matter yet, while I have heard
>> how bro developers fully utilize bro-ids system. 
>>
>> What's the good and standard management and maintenance  process when
>> one deploy multiple bro-ids nodes in the site? This is tricky, as most
>> of security admins always have their own way of administration, but I
>> would like to know how bro-ids developers such as Vern, Christian or
>> Robin doing it or others who would like to share the idea. 
> 
> I'm afraid there really is no definitive answer to this. It depends on
> the particular purpose of your distributed installation -- what events
> would you like to distribute, how big do you picture your network of Bro
> nodes to be, how sensitive are those (do you need to encrypt the
> communication), etc.
> 
>> How are the analysis and correlation process that can be done through
>> multiple bro-ids node?
> 
> All information is exchanged in the form of events. By writing suitable
> event handlers, you can perform arbitrary forms of analysis/aggregation/
> correlation on the events through the use of state tables and other
> typical Bro language features. (Note also that you can define multiple
> event handlers per event type, and that there is some meta-information
> on events available via built-in functions, such as is_remote_event().)
> 
>> I know bro-ids documentation is improving especially after wiki is
>> launched. But I still hardly find the answer for the questions above.
>> I would like to know how it is done practically. 
> 
> We're aware that documentation of the Bro communication features is
> sorely lacking. We're in the process of wikifying our documentation in
> the hope that it'll be easier for us to update it as the need arises. As
> always, scarcity of time is the main hurdle. :( The Broccoli manual has
> a reasonable level of detail on how to configure communicative setups.
> 
> Cheers,
> Christian.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFFwmjWK2Plq8B7ZBwRAgAEAKCWglm2RK3H+fh/EDodxvIvfpv3xgCgo8s+
F4wvTwFrOqG4WC+2OGe3ynM=
=qWvw
-----END PGP SIGNATURE-----

More information about the Bro mailing list