[Oisf-devel] Suricata, Bro and Broccoli

Daniel Wyschogrod dwyschogrod at bbn.com
Thu Nov 29 16:49:20 UTC 2012 

I would very much appreciate some pointers to the portions of the Suricata source code that deals with the host tables and whatever hooks may be currently available.  However, some of the other sensors that we're working with involve things like connection fan-out and fan-in (how many servers is a client talking to, is a previously client-type machine newly behaving like a server and for what services, etc.) which involve aggregating connections and our initial thought was to use Bro to help with this.

Dan
____________________
Dan Wyschogrod

Senior Scientist
Cyber Security
Raytheon/BBN Technologies

dwyschogrod at bbn.com




On Nov 29, 2012, at 11:40 AM, Victor Julien <victor at inliniac.net> wrote:

> On 11/29/2012 05:33 PM, Daniel Wyschogrod wrote:
>> We are considering multi-flow and packet correlation for a number of our
>> existing sensors that we want to port to a combination of Suricata
>> and/or Bro environments.  Some examples include matching ICMP echo and
>> echo reply  messages and counting various types of ICMP messages coming
>> from individual IP addresses.  We were thinking of using Suricata to
>> identify ICMP message types and then using Bro to do the counting per IP
>> address, or something like that.  Our previous implementation used a
>> specialized architecture.
> 
> While I don't want to discourage building a bro-suri connection, I think
> it's also worth exploring if the per ip tracking can be done in suri
> alone. We already have a scalable host table in suricata, and adding
> things like hostints, hostbits, etc (pretty much what we have for flows
> currently) will not be hard. Maybe this could accomplish a lot of what
> you need already.
> 
>> Dan
>> 
>>> Victor Julien <mailto:victor at inliniac.net>
>>> November 29, 2012 11:14 AM
>>> 
>>> We've been talking to the Bro guys about this, but as far as I know,
>>> nothing has been done yet.
>>> 
>>> What kind of multi-flow correlation are you looking for?
>>> 
>> 
>> -- 
>> ________________
>> Dan Wyschogrod
>> 
>> Senior Scientist
>> Cyber Security
>> Raytheon/BBN Technologies
>> 
>> dwyschogrod at bbn.com
>> 
> 
> 
> -- 
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20121129/ba09c520/attachment-0002.bin>

More information about the Oisf-devel mailing list