[Discussion] Virtues of a Multi-Sensor Environment
David J. Bianco
david at vorant.com
Thu Oct 30 13:01:17 UTC 2008
Seth Hall wrote:
>
> Bro's signature matching is only poor because it isn't used much by
> anyone that uses Bro heavily. I don't believe that it would be too much
> of a project to flesh out the signature matching capabilities of Bro to
> mirror Snort.
I'm sure it's possible to correct. I wouldn't underestimate the difficulty,
though. Snort really has a lot going for it already, including the functional
equivalent of the bidirectional matching (at least, if I understand Bro's
capability correctly). Snort just uses the flowbits construct for that.
>
> My point is just that Bro is very much in a position to be a central
> framework. Much more so than any other tools currently available.
>
Believe me, I'm not dissing Bro at all. You're right that it does a great
job as both a suite of detectors and a policy engine. And I think I may have
given the mistaken impression that I'm advocating that we use Sguil for this.
In fact, I don't care what we use as the framework basis, or if we invent
something new. In fact, I really want to see the good parts of both Bro
and Sguil, merged into a unified framework, and let the end users figure
out which detectors they need.
>> All these events should go to the same
>> analysis tool, they should be organized effectively, searchable,
>> cross-referenced, and tied to forensic data (network sessions, packet
>> captures, log files, etc).
>
> I definitely agree with this! Bro doesn't have anything yet that is end
> user focused towards doing forensics with the data being generated. If
> Squil could give it that frontend, that would be awesome.
Yeah, I'm pretty hopeful about this. If I can get them working together
properly, the combination could be very powerful. "Join me, and together
we can rule the galaxy!"
David
More information about the Discussion
mailing list