[Bro] Broccoli and Intrusion Detection Exchange Format
christian at whoop.org
Wed Sep 14 15:35:04 PDT 2005
On Wed, 2005-09-14 at 14:11 -0700, Vern Paxson wrote:
> FYI, there are some hooks for IDMEF support within Bro itself (see #ifdef
> USE_IDMEF), but it's not complete. Broccoli doesn't have any IDMEF support,
> and in fact I don't believe it would be a fit for it to do so - IDMEF is
> for exchanging alerts, while Broccoli aims for exchanging events and typed
> values, which are much more general.
Indeed. Broccoli is the wrong level of abstraction for IDMEF. Either use
Broccoli to feed events into a Bro and have the Bro node generate IDMEF
alerts, or write your own application that uses Broccoli for inter-Bro
communication and something like libidmef to communicate alerts.
More information about the Bro