[Bro] Bro and Snort together
Chris Williams
cw13 at umbc.edu
Fri Oct 16 09:16:12 PDT 2015
Is it possible to do this with multiple instances of pf_ring?
On Oct 16, 2015 12:13 PM, "Donaldson, John" <donaldson8 at llnl.gov> wrote:
> Vito,
>
> We're running Bro and Snort in parallel, but we're using DAG cards to
> duplicate streams to Bro and Snort processes, so our performance
> characteristics are a bit different. In general, though, it really depends
> on how you manage the traffic that you're throwing at both, and how many
> rules you have enabled in Snort. It *is* possible to keep packet loss
> manageable, running them in parallel, but you'll have to trim down what
> you have Snort running.
>
>
> John Donaldson
>
>
>
> On 10/16/15, 10:31 AM, "bro-bounces at bro.org on behalf of Vito Logrillo"
> <bro-bounces at bro.org on behalf of vitologrillo at gmail.com> wrote:
>
> >Hi all,
> >Anyone have used Bro and Snort together to the same live traffic?
> >If yes, any suggestion?
> >For example, is it possible to send the same traffic to snort and bro
> >without packet loss?
> >Thanks
> >_______________________________________________
> >Bro mailing list
> >bro at bro-ids.org
> >http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151016/471229a7/attachment.html
More information about the Bro
mailing list