[Bro] bro question with SIEM
branthale at gmail.com
Fri Oct 31 13:08:51 PDT 2014
I also have Qradar and am looking to supplement it with BRO - mainly the
Security Onion platform. The systems have some overlap, I suspect that
they are just going to want raw network data as they have their own tools
to pull info out. I am planning on sending my syslog data to Qradar and
pulling the BRO data from a network tap. So both systems will run in
parallel not one reporting to the other.
Do let us know what you end up with.
On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian <brianallen at wustl.edu> wrote:
> Hi -
> Our Medschool uses the IBM Qradar SIEM tool, and we have a project to
> expand it to cover the rest of the University. Since we have a SEIM now, I
> figured I might as well put the best logs I have in it - which include BRO
> logs: http, dns, conn, etc.
> IBM is asking me the following question: Is BRO able to forward raw
> flow data that has not been normalized or altered?
> I'm pretty sure the answer is no because I have worked with raw flow
> data with flow-tools a lot, but I wanted to post it here to make sure, plus
> see if anyone is using BRO with a SIEM and what those setups might look
> Brian Allen, CISSP
> Information Security Manager
> Washington University
> brianallen at wustl.edu
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro