[Bro] Integrating bro-ids on sguil or snorby
mcholste at gmail.com
Wed Sep 28 11:04:06 PDT 2011
>>> Sorry if this question sounds stupid, but I am very new using bro as
>>> an IDS. Is it possible to integrate bro logs on sguil or snorby or some
>>> type of front-ends like these ones??
As Seth pointed out, Bro's not really the same kind of "alerting"
device that Snort is, so it doesn't fit the SIEM mold very well.
However, if you have a log management solution, you can forward your
Bro logs into it. If you look at the email I sent the list two days
ago regarding the Bro cluster quickstart, you'll see a link to my
osssectools.blogspot.com post where I show how to forward Bro logs
using rsyslog. A similar setup could be achieved with syslog-ng if
that's already on the box. Hopefully your log management solution
will let you explore Bro's outputs a bit better and provide some
alerting capabilties. Otherwise, don't ever be afraid to plow into
the logs with grep and sort.
More information about the Bro