[Bro] Monitoring a directory and running bro on the PCAPs
Art Maddalena
Art.Maddalena at teamaol.com
Sun Oct 2 09:14:48 PDT 2016
Moloch is amazing and Erik makes a good point. I am likely going to
continue to duplicate capture due to the amount of data being captured. Bro
and Moloch are both fantastic compliments to most security stacks. I can't
wait for the latest bro release to come out of beta!
@Michael: if you haven't checked out Moloch recently I would recommend
checking out the latest version and giving it a go as we are constantly
developing!
Open source ftw!
Thanks again for everyone's input! This community is fantastically helpful.
- Art
On Sun, Oct 2, 2016 at 10:38 Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:
> So is netsniff-ng - well not technical multi threaded but multi process,
> yes. It does not do indexing but it is much lighter and friendly to tune.
>
> > On 2 Oct 2016, at 14:31, erik clark <philosnef at gmail.com> wrote:
> >
> > Moloch is a threaded pcap writer. You are writing multiple pcaps
> concurrently. Spewing that kind of content at bro probably will not have
> the desired effect, causing loss of session information and who knows what
> else. I agree that you should drop another link off your tap and feed it
> just to bro.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161002/34c745e1/attachment.html
More information about the Bro
mailing list