[Oisf-devel] Suricata, Bro and Broccoli

Victor Julien victor at inliniac.net
Thu Nov 29 16:40:05 UTC 2012


On 11/29/2012 05:33 PM, Daniel Wyschogrod wrote:
> We are considering multi-flow and packet correlation for a number of our
> existing sensors that we want to port to a combination of Suricata
> and/or Bro environments.  Some examples include matching ICMP echo and
> echo reply  messages and counting various types of ICMP messages coming
> from individual IP addresses.  We were thinking of using Suricata to
> identify ICMP message types and then using Bro to do the counting per IP
> address, or something like that.  Our previous implementation used a
> specialized architecture.

While I don't want to discourage building a bro-suri connection, I think
it's also worth exploring if the per ip tracking can be done in suri
alone. We already have a scalable host table in suricata, and adding
things like hostints, hostbits, etc (pretty much what we have for flows
currently) will not be hard. Maybe this could accomplish a lot of what
you need already.

> Dan
> 
>> Victor Julien <mailto:victor at inliniac.net>
>> November 29, 2012 11:14 AM
>>
>> We've been talking to the Bro guys about this, but as far as I know,
>> nothing has been done yet.
>>
>> What kind of multi-flow correlation are you looking for?
>>
> 
> -- 
> ________________
> Dan Wyschogrod
> 
> Senior Scientist
> Cyber Security
> Raytheon/BBN Technologies
> 
> dwyschogrod at bbn.com
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-devel mailing list