[Bro] Exporting bro alarms and notices
robin at icir.org
Thu Nov 10 06:23:40 PST 2011
On Thu, Nov 10, 2011 at 17:52 +0400, George Noseevich wrote:
> So is the syslog logging (either local or remote) the only alternative
> to logiles? No database nor ability to add custom log-processing hooks?
No DB interface right now but the new 2.0 logging framework does allow
to plugin different logging backends. Currently, we only have the
ASCII writer that produces the *.log file you're seeing, but binary
output and DB writers are planned. In fact, there's already a patch in
the tracker adding CouchDB support:
> As for IDSMEF, I don't personnaly like the format (bloated xml messages
> are a nightmare) but it seems this is the only option to handle alerts
> in a mixed IDS/IPS environment.
Yeah, IDMEF is something we should add. Not totally clear to me yet
though how exactly that would look like on the implementation side.
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro