<div dir="ltr">Wow, I haven't looked at Bro in over a year, and the new additions to 1.4 are stunning. Nice work! I agree that Bro certainly has all of the back-end features that we have been discussing, down the HTTP sniffer I was alluding to earlier, the realtime loading of IP lists, and the scripts versus signatures design. Most importantly, it has a scalable, extremely modular design. I think what Bro has been missing is a community just like this to act as a catalyst for breaking out it of its niche in academia and becoming something that average organizations can use. <br>
<br>I think that it's telling that Bro only recently got the ability to write anything to a database bundled with it natively, as that's a basic requirement for many people. As I look through the policy scripts, it's like I'm walking through a strange wonderland where anything is possible and great things are happening, but I have no idea what's going on. There is a rather steep learning curve for the Bro scripting language, and though well documented, I think that's rather off-putting for a lot of people. I actually had an easier time understanding what was going on with the pehunter source code written in C than I did trying to read the Bro scripting language straight-up. I'm not saying that it's not worth learning, I'm just saying that there's a pretty significant initial investment needed to get going with it. I think what this group could do would be to provide standards, tools, etc. for keeping track of all of these policies, writing new ones, and providing a comprehensive framework for managing it all, and a frontend for acting on the intelligence it provides. I see Bro as something of an uncut diamond.<br>
<br>If this group adopted Bro as a platform of choice, I think we'd have a real shot at decreeing that "this group shall re-invent no wheels" and still achieve all of the goals we set out to do. The idea being that we're not here to resolve problems, but rather to apply and focus work already done into something that produces community-aware, actionable intelligence instead of log files. I will start a new thread with the beginnings of a proposal to the group to explore that idea further. <br>
<br><div class="gmail_quote">On Sun, Oct 19, 2008 at 10:27 AM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com" target="_blank">jonkman@jonkmans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I definitely agree. There are a great number of features in bro that we<br>
can learn from or steal. :)<br>
<br>
Matt<br>
<div><div></div><div><br>
Thorsten Holz wrote:<br>
> On 19.10.2008, at 06:25, Seth Hall wrote:<br>
><br>
>> Sorry, I just joined the list so I'm going to be doing some odd<br>
>> quoting from the list archive :) I do want to point out too, that I'm<br>
>> not writing this email to downplay OISFs goals but rather to hopefully<br>
>> guide OISF toward improving an existing opensource project (Bro -<br>
>> <a href="http://www.bro-ids.org/" target="_blank">http://www.bro-ids.org/</a><br>
>> ) that already does much of what is being discussed on this list.<br>
><br>
> I agree with Seth: why implement something completely new when you<br>
> can extend an existing project that already contains many features<br>
> that should be included in the resulting tool? Bro has some cool<br>
> features and could be considered as a starting point.<br>
><br>
> Cheers,<br>
> Thorsten<br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org" target="_blank">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
<br>
</div></div>--<br>
--------------------------------------------<br>
Matthew Jonkman<br>
Emerging Threats<br>
Phone 765-429-0398<br>
Fax 312-264-0205<br>
<a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
--------------------------------------------<br>
<br>
PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<div><div></div><div><br>
<br>
_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org" target="_blank">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</div></div></blockquote></div><br></div>