Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Quite a few customers have expressed positive experience with the Bro IDS (recently renamed "Zeek"). This tool operates differently than Surricata and Snort and provides some great tools for searching for that network "needle in a haystack". There is a decent library of plugins and notification tools that make Bro and excellent addition to any IDS solution.Getting started with the Bro/Zeek IDS is quite easy using 128T's service chaining capability. The IDS tools may be embedded directly into a 128T router to reduce the complexity of a physical deployment.It should be noted that Bro is single threaded by design, with the expectation that load balancing is used to scale up to large deployments. The solution presented in the attached document is intended for smaller branch offices that do not require multi-gigabit throughput. Scaling up to central site speeds would almost surely require 128T load balancing, CPU affinity or even a separate platform for dedicated processing, so be sure to carefully design your traffic flows to avoid a bottleneck at the IDS.Feel free to send a note with any corrections/errors. This process has been lightly tested as a 3rd party integrated solution.Happy hunting!#IDS #Zeek #Bro #LoadBalancing #ServiceChaining