Typical Bro use case

Zeek
1

Hello all,

I am an applications engineer at a small start-up company located just North of Boston MA. I have been tasked to explore Bro and to write a follow on case study. I am somewhat new to Bro. I have installed a small cluster and have been working with Bro for the past few months. I would like to find out how others in the Bro community are using Bro.

For instance:

  1. Do most people use Bro stand-alone or are you using it in conjunction with another IDP/IPS sensor such as Snort
  2. What does a typical setup look like in terms of equipment
    a. What does your engress network load look like (i.e. data rate, traffic mix, etc.)
    b. How many cores are required to handle your traffic load/mix
  3. How are you processing the log files
  4. What is the ultimate problem that you are trying to solve

I am more then happy to share my findings thus far with any interested party. Ultimately, I would like to turn this into a presentation that I can share at the next BroCom.

If it makes more sense for me to take these types of questions off-line then I will gladly do so. Again, I am very interested in finding out how the rest of the community is using Bro so please feel free to reach out to me. Thanks in advance…

Regards,
Jerome Taylor

2

Hi,

I’m also exploring bro to be used as a core traffic intel framework. However, it’s just a small single server setup. I’ve picked the Security Onion distro so, Snort is pre configured and running with that. I would also like to read complete case studies of other folks who’ve deployed it into production.