[Bro] Input to quarantine system
mcholste at gmail.com
Thu Oct 18 12:37:58 PDT 2012
This could be done with an ELSA connector (I know, I'm referring to
ELSA, shocker!) that wrote directly to the database. ELSA includes a
connector for CIF that does just that and could be easily edited to
become a custom input connector. If you're interested, let me know,
and I'll write it for you.
On Thu, Oct 18, 2012 at 2:18 PM, Tyler T. Schoenke
<tyler.schoenke at colorado.edu> wrote:
> Hi All,
> We are rewriting a helper service for due to internal changes in our
> network security environment. We currently send Bro alarms via email to
> our Request Tracker (RT) database, and call the old helper to parse the
> email, and gather user information so we can quarantine infected
> machines. That works decent, but I was wondering if there is a better
> way to do this. Perhaps some method that is easier to parse. We need
> to feed some XML into an API for our Network Access Control.
> We primarily need IP, timestamp, and a short description of the alarm.
> Right now, timestamp isn't included in the emailed alarms. Is there a
> better way to send alarms in an easily parsable format? Is there an
> easy way to bulk include timestamp in all alarms?
> Tyler Schoenke
> Network Security Manager
> IT Security Office
> University of Colorado at Boulder
> Bro mailing list
> bro at bro-ids.org
More information about the Bro