[Bro] Yet Another Conference - like no other :)
Jon Schipp
jonschipp at gmail.com
Thu Oct 24 09:33:24 PDT 2013
Thanks for sharing Michal.
On Mon, Oct 21, 2013 at 2:06 PM, Michal Purzynski <michal at rsbac.org> wrote:
>
> > >
> > > Slides from my recent talk about NSM @ Mozilla at YaC 2013 are here, a
> > > full video will hopefully follow.
> > >
> > > http://tech.yandex.ru/events/yac/2013/talks/1131/
> > >
> >
> > Nice presentation, it confirms a few things I was suspecting :-)
> >
> > I see you are logging to elasticsearch from Bro... have you taken a
> > look at Moloch for full packet capture? It's not included in Security
> > Onion (yet?) but we have played with it at work and we're now
> > budgeting for Moloch boxes. Moloch just recently added support for
> > pfring as well, and from the mailing list I saw someone posting that
> > they were using pfring with success. It does a really good job of
> > indexing packet captures and has some protocol decoders built in...
> > I've found I don't even need to pull a pcap out of it half the time
> > because I get a clear picture from Moloch's web interface
> >
> > https://github.com/aol/moloch is their Github site
> >
> >
> Replacing netsniff-ng with anything else is possible here, but I don't
> feel like I need it - SO has a great integration between pcap agent,
> ELSA and Bro. I can go to ELSA, find the flow I need and request a
> transcript - simple and very effective.
>
> As for the metadata and data about my flows, content, protocol decoders,
> scripting - I would not change Bro for a 1024 kg of pure gold, if that's
> what you are asking :)
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon Schipp,
jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131024/359e8f03/attachment.html
More information about the Bro
mailing list