[Oisf-users] Quickstart for Bro Cluster

Martin Holste mcholste at gmail.com
Tue Sep 27 15:17:42 UTC 2011

I'm cross-posting this because I think Bro is a very helpful
supplement to anyone running an IDS, and it sounded like that was
pretty much the consensus at RAID 2011.  If you're looking to get Bro
up and running as a proof-of-concept, check out my first post on it
here: http://ossectools.blogspot.com/2011/08/monitoring-ssl-connections-with-bro.html.
 If you want it to scale up to a large pipe (anything over 80 Mb/sec),
check out my new post on Bro cluster
which will show how to set it up to take advantage of a multi-core
system and forward its logs to an SIEM or central syslog.

If you're not currently using Bro and are wondering why you should
bother, consider that Bro provides a great way to survey the SSL
traffic that's on your network, and a lot of malware uses SSL for
command-and-control channels.  It's a terrific way of seeing what
email and attachments are being transferred, which can help you spot
suspicious attachments, phishing, etc.  In addition, it will record
the MD5 and URL of every executable downloaded, which can be a real
help during incident response.  It has many more features (like being
able to receive Snort alerts), but these are just some of the
immediate benefits you get from running it alongside your current IDS.



More information about the Oisf-users mailing list