Bro and Snort together

Hi all,
Anyone have used Bro and Snort together to the same live traffic?
If yes, any suggestion?
For example, is it possible to send the same traffic to snort and bro
without packet loss?


Have a look at SecurityOnion,



We're running Bro and Snort in parallel, but we're using DAG cards to
duplicate streams to Bro and Snort processes, so our performance
characteristics are a bit different. In general, though, it really depends
on how you manage the traffic that you're throwing at both, and how many
rules you have enabled in Snort. It *is* possible to keep packet loss
manageable, running them in parallel, but you'll have to trim down what
you have Snort running.

John Donaldson

On 10/16/15, 10:31 AM, " on behalf of Vito Logrillo"

Is it possible to do this with multiple instances of pf_ring?

On FreeBSD, I have created a script that sets up Bro+Snort with pulledpork so you can test:

The key thing will be your specific use case for Bro+Snort as others have mentioned, but with this install, you can tune down the Snort rules.

I’ve had instances where i have used zbalance_ipc to help load balance larger links for moloch. You can also use zbalance_ipc to create duplicate zc streams that you can attach different processes to. I run bro / suri on the same interface and haven’t seen issues in operation.

Sure. Take a look at securityonion or do it yourself. Works with pfring and (soon) afpacket.

Anyone have used Bro and Snort together to the same live traffic?

You could give packet-bricks a shot:

It requires netmap, however. You'd use a Duplicator brick to split up
the traffic over two pipes.