Happy to answer questions, share experience, etc. Note it's an emerging project and I expect new servers to be shipped this week, so far using whatever-I-could-find in terms of CPU, but the rest matches.
1. I'm not a native speaker. That's why I'm talking slower
2. There's quite a bit of people in the audience but the camera mostly gets what's in 2-3 front rows which were reserved
3. Being is the last in a day, presenting at 19:30 is hard
Hope it's providing some useful background on our implementation of Bro. Feedback welcome
It’s all Security Onion, tuned to our needs. That’s the power of SO - it’s so flexible you can enable/disable/change parts of it without impacting the rest. I can’t imagine doing all the integration that SO does, myself. Technically doable, but -ENOTIME
Nice presentation, it confirms a few things I was suspecting
I see you are logging to elasticsearch from Bro… have you taken a look at Moloch for full packet capture? It’s not included in Security Onion (yet?) but we have played with it at work and we’re now budgeting for Moloch boxes. Moloch just recently added support for pfring as well, and from the mailing list I saw someone posting that they were using pfring with success. It does a really good job of indexing packet captures and has some protocol decoders built in… I’ve found I don’t even need to pull a pcap out of it half the time because I get a clear picture from Moloch’s web interface
You mentioned that you’re using Bro 2.2, though. Is that on a separate cluster or are you building 2.2 into a Security Onion install? If the latter, how do you manage that process? Seems like it would be complex.
So far yes, it’s a manual installation of Bro 2.2 beta on top of SO but in such fast moving project SO is, I’m sure the new Bro will be integrated as soon as it’s released. For now it’s just a mv /opt/bro /opt/bro.dist and installing a new /opt/bro
Nice presentation, it confirms a few things I was suspecting
I see you are logging to elasticsearch from Bro... have you taken a look at Moloch for full packet capture? It's not included in Security Onion (yet?) but we have played with it at work and we're now budgeting for Moloch boxes. Moloch just recently added support for pfring as well, and from the mailing list I saw someone posting that they were using pfring with success. It does a really good job of indexing packet captures and has some protocol decoders built in... I've found I don't even need to pull a pcap out of it half the time because I get a clear picture from Moloch's web interface
Replacing netsniff-ng with anything else is possible here, but I don't feel like I need it - SO has a great integration between pcap agent, ELSA and Bro. I can go to ELSA, find the flow I need and request a transcript - simple and very effective.
As for the metadata and data about my flows, content, protocol decoders, scripting - I would not change Bro for a 1024 kg of pure gold, if that's what you are asking