[Bro] Integrating bro-ids on sguil or snorby

Louis F Ruppert lruppert at syr.edu
Thu Sep 29 05:14:02 PDT 2011

Another option is to use the syslog output and pipe that into prelude-ids/prewikka for handling.  I've done that with 1.5.x using its native syslog output.  I've been experimenting with doing the same with the development version.

Prelude is nice because it's a fairly distributed model, and it encrypts traffic from sensors to manager/display.  And its development bits are Python, so there's potential for much tighter integration.

Distributed is nice too, if you tend to move back and forth between using multiple specialized bro clusters and the one all-uniting fearsome bro mega-cluster.

The model I tend to use looks like this:

But picture it with HIDS output, commercial IDS output, and other syslog output all correlated by IP in my diagram.
Lou Ruppert
Intrusion Analyst, GCFA
Information Security
Syracuse University
From: bro-bounces at bro-ids.org [bro-bounces at bro-ids.org] on behalf of Seth Hall [seth at icir.org]
Sent: Thursday, September 29, 2011 7:11 AM
To: carlopmart
Cc: bro at bro-ids.org
Subject: Re: [Bro] Integrating bro-ids on sguil or snorby

On Sep 29, 2011, at 4:44 AM, carlopmart wrote:

> rsyslog -> ossec_agent -> ossec_server -> splunk
> What is your opinion??

I want to support splunk as a direct output for Bro eventually, we already have some users that are very successfully using that model.  With my "ext" scripts available from http://www.github.com/sethhall/bro_scripts people have been using the Splunk forwarder to the send those logs directly to splunk which automatically does field extraction and it correctly recognizes the epoch time timestamps at the beginning of the lines as what they are.

We are planning on doing closer integration with OSSEC once we figure out what that means, but what does that 4 step pipeline gain you over just using the splunk forwarder directly?

BTW, I don't really recommend people begin using my "ext" scripts at this point.  We're going to be doing a new release very soon and all of the scripts have incorporated "lessons learned" from my experience in writing the ext scripts.  It makes more sense to follow our in-development quickstart guide[1] and Martin's recent blog post[2].

1. http://www.bro-ids.org/documentation/quickstart.html#compiling-bro-source-code
2. http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

Bro mailing list
bro at bro-ids.org

More information about the Bro mailing list