Last Day to get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

The Power of Fusing Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)

  • Thursday, June 25, 2020 at 12:00 PM EDT (2020-06-25 16:00:00 UTC)
  • Alex Kirk, John Gamble, Matt Bromiley


  • Corelight

You can now attend the webcast using your mobile device!



IDS platforms and firewalls excel at creating alerts, but lack the surrounding context needed to validate, investigate and respond. Analysts seeking that context from other sources like Netflow will often find themselves hitting information dead ends, unable to effectively respond to real threats and tune out false positives.

Fortunately, two powerful open-source tools, Suricata and Zeek (formerly called Bro) can help security teams overcome this challenge. Suricata offers a fast, flexible IDS and the Zeek network security monitoring platform transforms packets into rich, connection-linked protocol logs. Unified by a Community ID hashing function that can identify network connections across both tools, analysts can easily pivot from a Suricata alert to the corresponding Zeek log evidence to make fast sense of their alerts and traffic.

Register for this technical webcast to hear from Corelights Alex Kirk, Global Principal, Suricata and John Gamble, Director of Product Marketing, as well as SANS Instructor Matt Bromiley to learn about their experience using Suricata and Zeek to drive higher fidelity alerts and accelerate incident response times.

Speaker Bios

Alex Kirk

Alex is a veteran open source security evangelist with a deep engineering background. In 10 years with Sourcefire Research (VRT), he wrote the team's first malware sandbox and established its global customer outreach and intelligence sharing program. He has spoken at conferences across the globe on topics from Malware Mythbusting to Using Bro/Zeek Data for IR and Threat Hunting, and was a contributing author for Practical Intrusion Analysis, and oft-used textbook for university courses on IDS. His security engineering background also includes time at Cisco and Tenable.

John Gamble

John Gamble is Director of Product Marketing at Corelight and has spent more than a decade in the data protection industry representing cybersecurity, privacy and identity verification solutions, including his most recent role as Director of Product Marketing at Lookout, a mobile endpoint security company.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.