[Discussion] Virtues of a Multi-Sensor Environment

Matt Jonkman jonkman at jonkmans.com
Thu Oct 30 13:26:39 UTC 2008


I also agree that Bro is a great tool, and does some of what we want to do.

Unfortunately I think we may get to a point where it can't do some of
the things that make our final feature list. The extreme multi-threading
may be one of those. But there are several others that will be a
challenge to Bro. And Bro already has it's own roadmap and goals to hit.

Its definitely not out of the question that we look to start with Bro,
but if we pursue some of our major goals I don't think that'll be the
best option.

Interoperability or data sharing with Bro may be a more feasible option.

Thoughts?

Matt

David J. Bianco wrote:
> Martin Holste wrote:
>> I find both Sguil and Bro to be venerable platforms, however Seth, I
>> think that Bro is better left as a sniffer/preprocessor.  I think that
>> the bulk of the processing (I would even argue things like the libmagic
>> part) are better left to another process that Bro ships interesting
>> things to via Broccoli.  While Bro sports a lot of really good plugins
>> and a fair amount of extensibility, I think it's the wrong design path
>> to throw everything into it as a framework.  It is no accident that it
>> lacks native database support and has no frontend, because it wasn't
>> designed to be all-encompassing, it was designed to do the heavy lifting
>> and pass the rest off via Broccoli.  But Bro does have the great
>> strength of allowing for extremely rich signature scripts, as you
>> pointed out.
> 
> I think that this point of view isn't really very far off from what Seth
> and I have been discussing (if I understand you correctly, Seth). I think
> we all agree Bro has a better policy engine, and some great non-signature
> based detection mechanisms.  And I think we also agree that Sguil has a
> better front end and better analysis support.  A combination of these
> two strengths would be a formidable new tool.
> 
>> David, (I am a regular reader of your blog, BTW):  
> 
> I have a reader!  Yay!
> 
>> I consider Sguil the
>> closest thing to an out-of-the-box solution for NSM out there, and I
>> think that it is 100% on the right track.  In my opinion, though, the
>> entire Sguil architecture feels archaic and a bit kludgy, and I
>> definitely require a web console as opposed to a Tcl-based console.  
> 
> It's definitely a complicated beast, and yeah, there are better ways to do
> a lot of what it does.  There has been some recent discussion on how to
> change a lot of this (see our mailing list).  Richard Bejtlich has even
> announced that he's going to be underwriting some major updates.  All this
> is basically because we agree with your statement above, even if we didn't
> put it in those words exactly.
> 
> 	David
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list