[Bro] bro-ids + sguil

Lee Sheng darkxer05 at yahoo.com
Wed Jul 12 03:50:15 PDT 2006


I have read a lot regarding brocolli and it seems that's what needed to code with instead of hacking bro src. Especially brocolli able to talk to bro to extract the information it needs. From my experience about sguil, that's how snort get to talk to sguil in this form -

snort -> barnyard(snort native db output plugin that hacked to work with sguil sensor) -> sguil sensor -> sguil server

Previously sguil developers mod the snort for it's portscan data and now no longer needed and instead just need to mod the barnyard. Is it similar to bro as well where

bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor -> sguil server

I also take a look at brooery to get the better idea of how bro needed to put into gui context. It seems that brooery is not real time notification system, and indeed it targets on enhancing the analysis capabilities, while this is already been achieved in sguil, I think it should get real time notification for alarm event and analyse on the fly when possible. 


Yahoo! Music Unlimited - Access over 1 million songs.Try it free. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060712/74bbf4ad/attachment.html 

More information about the Bro mailing list