[Bro] bro-ids + sguil
christian at whoop.org
Thu Jul 13 06:53:01 PDT 2006
On Wed, 2006-07-12 at 03:50 -0700, Lee Sheng wrote:
> I have read a lot regarding brocolli
It's "Broccoli". Like the food. Two "c"s, one "l". :^)
> and it seems that's what needed to code with instead of hacking bro
> src. Especially brocolli able to talk to bro to extract the
> information it needs. From my experience about sguil, that's how snort
> get to talk to sguil in this form -
> snort -> barnyard(snort native db output plugin that hacked to work
> with sguil sensor) -> sguil sensor -> sguil server
> Previously sguil developers mod the snort for it's portscan data and
> now no longer needed and instead just need to mod the barnyard. Is it
> similar to bro as well where
> bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor ->
> sguil server
Please don't make any changes to Broccoli that add features irrelevant
to Bro's communication protocol, since such patches will never get in.
Rather, I'd suggest writing a translator or something that uses Broccoli
to receive Bro events, then translates them into whatever sguil needs,
and forwards that on to the sguil sensor. Kind of like this:
bro-ids -> bro2sguil translator -> sguil server.
That translator would effectively function as a sguil sensor.
Alternatively, if the sguil server is sufficiently flexible, it'll just
get a new Bro module in addition to other things it can talk to.
More information about the Bro