[Oisf-users] Suricata vs Bro

Cooper F. Nelson cnelson at ucsd.edu
Wed Jul 25 19:22:42 UTC 2018

Bro offers:

1) Metadata logging for more protocols than suricata currently, however
this gap is shrinking with the upcoming 4.1 suricata release.  Also, the
new rust support allows for adding support for new protocols in a more
generic fashion (vs. having to build it into the engine). 

2) A Turing complete scripting language.  So in theory you can write a
bro policy script to detect any event or sequence of events observed on
a network.  You can partially duplicate this functionality with suricata
signatures, flowbits and Lua, however it isn't as generic as Bro.  Since
suricata is built around finite-state machines, it's detection engine is
orders of magnitude faster.

I replaced our (multiple) snort and bro instances with a single suricata
sensor, given it's multithreaded architecture.  I was only using bro for
protocol logging some common stuff, which suricata has supported for
years.  I personally see bro as more a tool for network forensics, (like
argus), vs. a pure IDS these days.  So many run both on the same machine
and use bro to review suricata alerts in context. 


On 7/25/2018 11:50 AM, Charles Devoe wrote:
> I have seen several implementations that combine Suricata and Bro on
> the same machine.  I am curious to know what does Bro do that Suricata
> does not?
> This message and attachments may contain confidential information. If
> it appears that this message was sent to you by mistake, any
> retention, dissemination, distribution or copying of this message and
> attachments is strictly prohibited. Please notify the sender
> immediately and permanently delete the message and any attachments.
> . . . . .
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180725/1f0227c8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180725/1f0227c8/attachment.sig>

More information about the Oisf-users mailing list