[Bro] bro question with SIEM

Brant Hale branthale at gmail.com
Fri Oct 31 13:08:51 PDT 2014


I also have Qradar and am looking to supplement it with BRO - mainly the
Security Onion platform.    The systems have some overlap,  I suspect that
they are just going to want raw network data as they have their own tools
to pull info out.   I am planning on sending my syslog data to Qradar and
pulling the BRO data from a network tap.   So both systems will run in
parallel not one reporting to the other.

Do let us know what you end up with.


On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian <brianallen at wustl.edu> wrote:

>  Hi -
>  Our Medschool uses the IBM Qradar SIEM tool, and we have a project to
> expand it to cover the rest of the University.  Since we have a SEIM now, I
> figured I might as well put the best logs I have in it -  which include BRO
> logs: http, dns, conn, etc.
>  IBM is asking me the following question:  Is BRO able to forward raw
> flow data that has not been normalized or altered?
>   I'm pretty sure the answer is no because I have worked with raw flow
> data with flow-tools a lot, but I wanted to post it here to make sure, plus
> see if anyone is using BRO with a SIEM and what those setups might look
> like.
>  Thanks,
> -Brian
>   Brian Allen, CISSP
> Information Security Manager
> Washington University
> brianallen at wustl.edu
> 314-935-5380
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/c3ccbbd5/attachment.html 

More information about the Bro mailing list