top | item 33215342

(no title)

dvratil | 3 years ago

I had a chance to use Bro a few years back in a network traffic analysis software and the code was fairly bad - global states, no multithreading, weird scripting language (because of which everything was dynamically allocated with measurable overhead). We ended up implementing our own traffic analyzer, during which we found that major protocols implementations in Bro had bugs or failed to detect or parse valid traffic.

I hope they got better over the years, if they want to integrate into such major products...

discuss

santoshalper|3 years ago

Well, putting it on the endpoint will actually make scalability much less of an issue and allow them to get away with much more sloppiness. So I'm not optimistic.

DominoTree|3 years ago

They operate in completely different ways, but depending on what you're looking for, you might want to look at Suricata, especially for protocol decoding (a good chunk, especially the decoders, are built on the AMAZING `nom` parser-combinator crate in Rust and super extensible if you want to build your own decoders)

A zero-ruleset (if you're not looking at actual pattern-matching or IDS functionality) deployment of Suri is surprisingly lightweight and performant, and it's also easy to roll rules for your custom decoders as well if you want to actually alert on certain things instead of just doing straight decoding and dumping to JSON