Having looked into BroIDS and a couple of potential options/setups, I'd be interested in hearing anyone's experience working with either or both BroIDS / Snort..
- i like that BroIDS is network-based as opposed to signature, though it doesn't seem like Bro has frontend as polished as one might like.. are the alarms only sent out via mail/etc.. or are there utilities to help parse/graph/htmlize the results? I like the idea of something like BASE for analysis. - anyone running BroIDS / snort who might be able to share the system specs and what sort of traffic / analysis / capturing they are doing? - is BroIDS capable of working in "sentry" mode, as a sensor reporting to one analysis system? I see the options for full capturing and offline analysis, but this is just going to spit out some flat files.. getting them to another system for analysis seems a bit cumbersome.. - in terms of BroIDS/Snort and PF.. who comes first in processing network traffic? - is Bro able to log, compress, store and index events for later reviewing/searching? or should I just have the events forwarded to a central logging server running splunk..? thanks for the insight.. ~Jason
