Monitoring a directory and running bro on the PCAPs

Moloch is a threaded pcap writer. You are writing multiple pcaps concurrently. Spewing that kind of content at bro probably will not have the desired effect, causing loss of session information and who knows what else. I agree that you should drop another link off your tap and feed it just to bro.

So is netsniff-ng - well not technical multi threaded but multi process, yes. It does not do indexing but it is much lighter and friendly to tune.

Moloch is amazing and Erik makes a good point. I am likely going to continue to duplicate capture due to the amount of data being captured. Bro and Moloch are both fantastic compliments to most security stacks. I can’t wait for the latest bro release to come out of beta!

@Michael: if you haven’t checked out Moloch recently I would recommend checking out the latest version and giving it a go as we are constantly developing!

Open source ftw!

Thanks again for everyone’s input! This community is fantastically helpful.

  • Art