[Oisf-devel] Suricata, Bro and Broccoli

[Seth Hall]

On Nov 29, 2012, at 11:49 AM, Daniel Wyschogrod <dwyschogrod at bbn.com> wrote:

> I would very much appreciate some pointers to the portions of the Suricata source code that deals with the host tables and whatever hooks may be currently available.  However, some of the other sensors that we're working with involve things like connection fan-out and fan-in (how many servers is a client talking to, is a previously client-type machine newly behaving like a server and for what services, etc.) which involve aggregating connections and our initial thought was to use Bro to help with this.


For what you are talking about doing, it's likely that you'd be able to do it solely with Bro (we are moving in the direction of being able to make Bro natively consume unified2 files, but we can talk about that later).  In our 2.2 release we're going to have a reworked metrics framework for measurements too which includes cluster transparency to mitigate effects of fan-out/load-balancing.  This is even testable now and should hopefully be in the master branch of our repository soon.

Could you describe in more detail what you want to measure?  My experience so far has been that most things I've tried to measure with Bro's metrics framework are surprisingly easy.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/