Infrastructure with Bro and SDN-capable switch

just2 · November 10, 2014, 12:52pm

Hello,
I am a newbie on Bro IDS. I am working on a project in my university.
Goal is to reduce packet drops in IDS by installing a SDN-capable switch which filters and only redirects suspicious content to the IDS, thus reducing workload on the IDS and therefore packet drops.

I started researching on Bro and as far as I understand, it is capable of running in high-speed networks without packet drops.
Therefore my question:
Is it reasonable to do the research project (Bro + SDN switch) or is it very unlikely to have packet drops no matter how much traffic/speed the network is running?

Thank you for your answers,
Mirjam

Seth_Hall3 · November 10, 2014, 2:48pm

This is something that people in our community are already starting to do except that it's typically done backwards from what you are describing. All traffic is directed to the IDS until the IDS decides that it doesn't want to see it anymore and then it is "shunted" on the switch (or at other locations).

In my opinion, doing the opposite isn't possible because what is deciding what's suspicious? That sounds like the job of an IDS.

.Seth

Topic		Replies	Views
Bro: a question regarding type Zeek	1	75	May 6, 2022
A few questions Zeek	25	210	May 6, 2022
Packet loss Zeek	3	124	May 6, 2022
Dropped Packets Zeek	11	114	May 6, 2022
Question about processing network traffic Zeek	3	64	May 6, 2022

Infrastructure with Bro and SDN-capable switch

Related topics