[Discussion] Virtues of a Multi-Sensor Environment

• Previous message (by thread): [Discussion] Virtues of a Multi-Sensor Environment
• Next message (by thread): [Discussion] Virtues of a Multi-Sensor Environment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Martin Holste wrote:
> I find both Sguil and Bro to be venerable platforms, however Seth, I
> think that Bro is better left as a sniffer/preprocessor.  I think that
> the bulk of the processing (I would even argue things like the libmagic
> part) are better left to another process that Bro ships interesting
> things to via Broccoli.  While Bro sports a lot of really good plugins
> and a fair amount of extensibility, I think it's the wrong design path
> to throw everything into it as a framework.  It is no accident that it
> lacks native database support and has no frontend, because it wasn't
> designed to be all-encompassing, it was designed to do the heavy lifting
> and pass the rest off via Broccoli.  But Bro does have the great
> strength of allowing for extremely rich signature scripts, as you
> pointed out.

I think that this point of view isn't really very far off from what Seth
and I have been discussing (if I understand you correctly, Seth). I think
we all agree Bro has a better policy engine, and some great non-signature
based detection mechanisms.  And I think we also agree that Sguil has a
better front end and better analysis support.  A combination of these
two strengths would be a formidable new tool.

> 
> David, (I am a regular reader of your blog, BTW):  

I have a reader!  Yay!

> I consider Sguil the
> closest thing to an out-of-the-box solution for NSM out there, and I
> think that it is 100% on the right track.  In my opinion, though, the
> entire Sguil architecture feels archaic and a bit kludgy, and I
> definitely require a web console as opposed to a Tcl-based console.  

It's definitely a complicated beast, and yeah, there are better ways to do
a lot of what it does.  There has been some recent discussion on how to
change a lot of this (see our mailing list).  Richard Bejtlich has even
announced that he's going to be underwriting some major updates.  All this
is basically because we agree with your statement above, even if we didn't
put it in those words exactly.

	David

• Previous message (by thread): [Discussion] Virtues of a Multi-Sensor Environment
• Next message (by thread): [Discussion] Virtues of a Multi-Sensor Environment
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]