Watchman: Turning Bro into a True IDS

Thursday, April 12 | 9:15AM–10:15AM ET | Maryland Ballroom E, Fifth Floor
Session Type: Breakout Session
Delivery Format: Interactive Presentation
Bro is a great tool for transforming raw network traffic into streams of useful logs for consumption by a security analyst. To get data beyond plain text logging, many organizations have added massive ElasticSearch databases to add better "search" capability. Unfortunately, this didn't give analysts a way to create actual incidents on the information in the databases. In this presentation, we will explain how BC closed the detection loop and automated Bro detection to transform the raw data into true events. We will also discuss the architecture and technology to process and consume this data at speed for a medium-sized Bro deployment.

Outcomes: Be able to plan a reasonably sized ElasticSearch cluster for Bro data * Spot common performance problems with your cluster and get solutions to fix them * Discover the new Watchman tool to better utilize your Bro data


  • Patrick Cain

    President, The Cooper-Cain Group, Inc.
  • Phillip Deneault

    Principal Information Security Analyst, Boston College

Resources & Downloads

  • Using Bro as an IDS final posted

    1 MB, pptx - Updated on 1/22/2024
  • ElasticSearch Presentation Appendix

    28 KB, docx - Updated on 1/22/2024