[Bro] Integrating bro-ids on sguil or snorby

carlopmart carlopmart at gmail.com
Thu Sep 29 01:44:52 PDT 2011


On 09/28/2011 08:04 PM, Martin Holste wrote:
>>>>    Sorry if this question sounds stupid, but I am very new using bro as
>>>> an IDS. Is it possible to integrate bro logs on sguil or snorby or some
>>>> type of front-ends like these ones??
>
> As Seth pointed out, Bro's not really the same kind of "alerting"
> device that Snort is, so it doesn't fit the SIEM mold very well.
> However, if you have a log management solution, you can forward your
> Bro logs into it.  If you look at the email I sent the list two days
> ago regarding the Bro cluster quickstart, you'll see a link to my
> osssectools.blogspot.com post where I show how to forward Bro logs
> using rsyslog.  A similar setup could be achieved with syslog-ng if
> that's already on the box.  Hopefully your log management solution
> will let you explore Bro's outputs a bit better and provide some
> alerting capabilties.  Otherwise, don't ever be afraid to plow into
> the logs with grep and sort.

Thansk Martin. I have do it some google searches about this, and i think 
the best option is to use an OSSEC agent, and then from the OSSEC server 
forward all logs to a splunk server to collect statistics, etc.

Another option is to use rsyslog like appears in your blog's post like this:

rsyslog -> ossec_agent -> ossec_server -> splunk

What is your opinion??
-- 
CL Martinez
carlopmart {at} gmail {d0t} com



More information about the Bro mailing list