From Security Weekly Wiki
Jump to navigationJump to search
273 bytes added ,  15:19, 3 November 2016
no edit summary
ITPro.TV Annoucenment: "Quick announcement, ITProTV has updated their course library to include:
CompTIA Project+
DNS Tech Skills
CyberPatriot Training
CyberSecurity Analyst+
Installation, Storage, and Compute with Windows Server 2016
Networking with Server 2016
=Paul's Questions=
Do you see that an MSSP selling SOC services could build new services or incorporate Bro into the existing service offering especially without purchasing support for Bro (which I think is available in some form)?
Do you have first-hand experience on whether SMB or large enterprises are fine with it for whether they tend to walk away from open-source solutions?
Or should they even be able to care about it (i.e. using Bro under the hood - "sell the service, not the tool")?
There actually used to be a snort2bro script where you could port snort sigs to bro alerts, but it was removed because it explicitly doesn't fit with the bro model.
Before a internal web proxy?
Pardon my ignorance, but it seems this is geared to a more physical network. How well would this aid in a network all in NSX?
Do you have to run the Security Onion setup to get the pcap configured?
*For nsx just configure a span port on the vswitch and dump it to your brobox
for nsx just configure a span port on the vswitch and dump it to your brobox *Good write up on mirroring a port on a vswitch: 
how much space should you plan to have for Bro to have enough room for ingest, and how much offline should you keep?
*also helpful for new users of bro - they have a web portal to try out different versions of bro online, without having to install it at all. 
Will Security onion handle vlan tags without issue if, say you want to mirror a trunk?
*can Bro be used to baseline network traffic using NetFlow; to get visiblity on anomalies like an internal SQL server all of a sudden talking outbound on port 22/tcp 
Past couple of days I've been trying to figure out how to parse what traffic is going to certain home devices when the cable's router/modem is using 10.0.0.X and my home router is using 192.168.0.X for all devices. My tap sits between the cable modem and home router.
what is bro advantage over splunk ?
How much storage needed for home environment?
Pardon my ignorance here, can Bro essentially fill the role of a netflow collector more or less? Thanks in advance bro.
How much overlap is there with something like PVS?
*A cheaper alternative to Gigamon are Arista switches with the Z-license, specifically take a look at their 7150-S (and netoptics) 
Is bro capable of decrypting ssl traffic to fetch user agents from https requests for example?
Does Bro support SSL Decryption for more indepth logs on HTTPS traffic?
Can we get people off the lawn?
Are you aware of any websites/resources we can use to verify known bad user agents?
for a SMB would you recommend security onion as a consolidated security tool? we dont have an ids or SIEM.
IF you are using a CASB that acts as a MiTM and proxies traffic outside of your enterprise, what is the impact of that?
*You stated, place before your proxy, and also stated after your firewall (ie, on the inside of your network). What if you are running proxy service on the firewall, which is common in SMB environments. What is the best place in that setup. 
are there any current SANS classes with hands on work with Bro?
what's the difference between bro and tshark?
How would this work with something like pi-hole or other DNS wide blockers?
What would you say the key differences between Bro and those "enterprise grade" security analytics products *such as RSA and BlueCoat) that collect full packet and network metadata. Trying to sell the benefits can be challenging when C-levels are being blinded by the flashy lights of these solutions.
*There are multiple brocons - this is the right one
Bro will still log information about the TLS handshake which is very helpful in scenarios like POODLE, CRIME, etc. - you could pull out protocols uses (SSL 3.0 vs TLS 1.0, 1.1, 1.2) and ciphers supported (RC4, DES, etc.). It makes it helpful to find things that may have been exploited without active scanning
what about capturing DNS, in a distributed environment that uses AD to forward the requests out, should it be placed before the AD server?

Navigation menu