[Bro] Input to quarantine system

Tyler T. Schoenke tyler.schoenke at colorado.edu
Thu Oct 18 12:18:38 PDT 2012

Hi All,

We are rewriting a helper service for due to internal changes in our
network security environment.  We currently send Bro alarms via email to
our Request Tracker (RT) database, and call the old helper to parse the
email, and gather user information so we can quarantine infected
machines.   That works decent, but I was wondering if there is a better
way to do this.  Perhaps some method that is easier to parse.   We need
to feed some XML into an API for our Network Access Control.

We primarily need IP, timestamp, and a short description of the alarm.  
Right now, timestamp isn't included in the emailed alarms.   Is there a
better way to send alarms in an easily parsable format?  Is there an
easy way to bulk include timestamp in all alarms?



Tyler Schoenke
Network Security Manager
IT Security Office
University of Colorado at Boulder

More information about the Bro mailing list