[Bro] Bro and Snort together
Michael Shirk
shirkdog.bsd at gmail.com
Fri Oct 16 10:42:00 PDT 2015
On FreeBSD, I have created a script that sets up Bro+Snort with pulledpork
so you can test:
https://github.com/shirkdog/hunter-nsm
The key thing will be your specific use case for Bro+Snort as others have
mentioned, but with this install, you can tune down the Snort rules.
--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com
Vito,
We're running Bro and Snort in parallel, but we're using DAG cards to
duplicate streams to Bro and Snort processes, so our performance
characteristics are a bit different. In general, though, it really depends
on how you manage the traffic that you're throwing at both, and how many
rules you have enabled in Snort. It *is* possible to keep packet loss
manageable, running them in parallel, but you'll have to trim down what
you have Snort running.
John Donaldson
On 10/16/15, 10:31 AM, "bro-bounces at bro.org on behalf of Vito Logrillo"
<bro-bounces at bro.org on behalf of vitologrillo at gmail.com> wrote:
>Hi all,
>Anyone have used Bro and Snort together to the same live traffic?
>If yes, any suggestion?
>For example, is it possible to send the same traffic to snort and bro
>without packet loss?
>Thanks
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151016/cebf840a/attachment.html
More information about the Bro
mailing list