The Power of Fusing Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)

  • Thursday, 25 Jun 2020 12:00PM EDT (25 Jun 2020 16:00 UTC)
  • Speakers: Matt Bromiley, John Gamble, Alex Kirk

IDS platforms and firewalls excel at creating alerts, but lack the surrounding context needed to validate, investigate and respond. Analysts seeking that context from other sources like Netflow will often find themselves hitting information dead ends, unable to effectively respond to real threats and tune out false positives.

Fortunately, two powerful open-source tools, Suricata and Zeek (formerly called Bro) can help security teams overcome this challenge. Suricata offers a fast, flexible IDS and the Zeek network security monitoring platform transforms packets into rich, connection-linked protocol logs. Unified by a Community ID hashing function that can identify network connections across both tools, analysts can easily pivot from a Suricata alert to the corresponding Zeek log evidence to make fast sense of their alerts and traffic.

Register for this technical webcast to hear from Corelight's Alex Kirk, Global Principal, Suricata and John Gamble, Director of Product Marketing, as well as SANS Instructor Matt Bromiley to learn about their experience using Suricata and Zeek to drive higher fidelity alerts and accelerate incident response times.