[Bro] bro question with SIEM

Slagell, Adam J slagell at illinois.edu
Fri Oct 31 13:15:02 PDT 2014

You could send the logs or even the raw bro events.

I'm not sure what they mean by raw flow data, but am guessing they mean like v9 netflows. That it won't do.

On Oct 31, 2014, at 3:08 PM, Brant Hale <branthale at gmail.com<mailto:branthale at gmail.com>> wrote:


I also have Qradar and am looking to supplement it with BRO - mainly the Security Onion platform.    The systems have some overlap,  I suspect that they are just going to want raw network data as they have their own tools to pull info out.   I am planning on sending my syslog data to Qradar and pulling the BRO data from a network tap.   So both systems will run in parallel not one reporting to the other.

Do let us know what you end up with.


On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian <brianallen at wustl.edu<mailto:brianallen at wustl.edu>> wrote:
Hi -

Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover the rest of the University.  Since we have a SEIM now, I figured I might as well put the best logs I have in it -  which include BRO logs: http, dns, conn, etc.

IBM is asking me the following question:  Is BRO able to forward raw flow data that has not been normalized or altered?

I'm pretty sure the answer is no because I have worked with raw flow data with flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using BRO with a SIEM and what those setups might look like.


Brian Allen, CISSP
Information Security Manager
Washington University
brianallen at wustl.edu<mailto:brianallen at wustl.edu>

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>


Adam J. Slagell
Chief Information Security Officer
Assistant Director, Cybersecurity Directorate
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/8a1f59f4/attachment.html 

More information about the Bro mailing list