Snort mailing list archives
Quickstart for Bro Cluster
From: Martin Holste <mcholste () gmail com>
Date: Tue, 27 Sep 2011 10:17:42 -0500
I'm cross-posting this because I think Bro is a very helpful supplement to anyone running an IDS, and it sounded like that was pretty much the consensus at RAID 2011. If you're looking to get Bro up and running as a proof-of-concept, check out my first post on it here: http://ossectools.blogspot.com/2011/08/monitoring-ssl-connections-with-bro.html. If you want it to scale up to a large pipe (anything over 80 Mb/sec), check out my new post on Bro cluster (http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html) which will show how to set it up to take advantage of a multi-core system and forward its logs to an SIEM or central syslog. If you're not currently using Bro and are wondering why you should bother, consider that Bro provides a great way to survey the SSL traffic that's on your network, and a lot of malware uses SSL for command-and-control channels. It's a terrific way of seeing what email and attachments are being transferred, which can help you spot suspicious attachments, phishing, etc. In addition, it will record the MD5 and URL of every executable downloaded, which can be a real help during incident response. It has many more features (like being able to receive Snort alerts), but these are just some of the immediate benefits you get from running it alongside your current IDS. Thanks, Martin ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Quickstart for Bro Cluster Martin Holste (Sep 27)