Yet Another Conference - like no other :)

Yes. I'm from Mozilla. Now you know :slight_smile:

Slides from my recent talk about NSM @ Mozilla at YaC 2013 are here, a full video will hopefully follow.

http://tech.yandex.ru/events/yac/2013/talks/1131/

Happy to answer questions, share experience, etc. Note it's an emerging project and I expect new servers to be shipped this week, so far using whatever-I-could-find in terms of CPU, but the rest matches.

This was a good read this morning…thank you.

James

http://tech.yandex.ru/events/yac/2013/talks/1131/

Video is there.

1. I'm not a native speaker. That's why I'm talking slower :wink:
2. There's quite a bit of people in the audience but the camera mostly gets what's in 2-3 front rows which were reserved
3. Being is the last in a day, presenting at 19:30 is hard

Hope it's providing some useful background on our implementation of Bro. Feedback welcome :slight_smile:

Great presentation!
Do you use security onion for the bro & snort clusters or you installed it on vanilla linux/bsd boxes?

//Kristoffer

It’s all Security Onion, tuned to our needs. That’s the power of SO - it’s so flexible you can enable/disable/change parts of it without impacting the rest. I can’t imagine doing all the integration that SO does, myself. Technically doable, but -ENOTIME :slight_smile:

Hi Michal

Nice presentation!!
Cool to see some real world experiences… Especially the part “what’s working” and “what’s not working”.

Regards,
Lysemose

Nice presentation, it confirms a few things I was suspecting :slight_smile:

I see you are logging to elasticsearch from Bro… have you taken a look at Moloch for full packet capture? It’s not included in Security Onion (yet?) but we have played with it at work and we’re now budgeting for Moloch boxes. Moloch just recently added support for pfring as well, and from the mailing list I saw someone posting that they were using pfring with success. It does a really good job of indexing packet captures and has some protocol decoders built in… I’ve found I don’t even need to pull a pcap out of it half the time because I get a clear picture from Moloch’s web interface

https://github.com/aol/moloch is their Github site

Just a thought

You mentioned that you’re using Bro 2.2, though. Is that on a separate cluster or are you building 2.2 into a Security Onion install? If the latter, how do you manage that process? Seems like it would be complex.

Just curious, why are you advocating for Moloch on the Bro mailing list? Is it only because of the interface?

  .Seth

So far yes, it’s a manual installation of Bro 2.2 beta on top of SO but in such fast moving project SO is, I’m sure the new Bro will be integrated as soon as it’s released. For now it’s just a mv /opt/bro /opt/bro.dist and installing a new /opt/bro :slight_smile:

>
> Slides from my recent talk about NSM @ Mozilla at YaC 2013 are here, a
> full video will hopefully follow.
>
> http://tech.yandex.ru/events/yac/2013/talks/1131/
>

Nice presentation, it confirms a few things I was suspecting :slight_smile:

I see you are logging to elasticsearch from Bro... have you taken a look at Moloch for full packet capture? It's not included in Security Onion (yet?) but we have played with it at work and we're now budgeting for Moloch boxes. Moloch just recently added support for pfring as well, and from the mailing list I saw someone posting that they were using pfring with success. It does a really good job of indexing packet captures and has some protocol decoders built in... I've found I don't even need to pull a pcap out of it half the time because I get a clear picture from Moloch's web interface

https://github.com/aol/moloch is their Github site

Replacing netsniff-ng with anything else is possible here, but I don't feel like I need it - SO has a great integration between pcap agent, ELSA and Bro. I can go to ELSA, find the flow I need and request a transcript - simple and very effective.

As for the metadata and data about my flows, content, protocol decoders, scripting - I would not change Bro for a 1024 kg of pure gold, if that's what you are asking :slight_smile:

Thanks for sharing Michal.