Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Quickstart for Bro Cluster

From: Martin Holste <mcholste () gmail com>
Date: Tue, 27 Sep 2011 10:17:42 -0500
I'm cross-posting this because I think Bro is a very helpful
supplement to anyone running an IDS, and it sounded like that was
pretty much the consensus at RAID 2011.  If you're looking to get Bro
up and running as a proof-of-concept, check out my first post on it
here: http://ossectools.blogspot.com/2011/08/monitoring-ssl-connections-with-bro.html.
 If you want it to scale up to a large pipe (anything over 80 Mb/sec),
check out my new post on Bro cluster
(http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html)
which will show how to set it up to take advantage of a multi-core
system and forward its logs to an SIEM or central syslog.

If you're not currently using Bro and are wondering why you should
bother, consider that Bro provides a great way to survey the SSL
traffic that's on your network, and a lot of malware uses SSL for
command-and-control channels.  It's a terrific way of seeing what
email and attachments are being transferred, which can help you spot
suspicious attachments, phishing, etc.  In addition, it will record
the MD5 and URL of every executable downloaded, which can be a real
help during incident response.  It has many more features (like being
able to receive Snort alerts), but these are just some of the
immediate benefits you get from running it alongside your current IDS.

Thanks,

Martin

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: