[Bro] bro question with SIEM

Mike Patterson mike.patterson at uwaterloo.ca
Fri Oct 31 15:51:20 PDT 2014

They definitely mean netflowv5 or 9. Bro can't do this, but you probably could generate flows from the same device you're running Bro on. I'm pretty sure there are some open source options here.

Mike Patterson
Manager, Information Security Operations
Information Security Services, University of Waterloo
+1 519-888-4567, x47178 / mike.patterson at uwaterloo.ca<mailto:mike.patterson at uwaterloo.ca>

On Oct 31, 2014, at 16:00, Allen, Brian <brianallen at wustl.edu<mailto:brianallen at wustl.edu>> wrote:

Hi -

Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover the rest of the University.  Since we have a SEIM now, I figured I might as well put the best logs I have in it -  which include BRO logs: http, dns, conn, etc.

IBM is asking me the following question:  Is BRO able to forward raw flow data that has not been normalized or altered?

I'm pretty sure the answer is no because I have worked with raw flow data with flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using BRO with a SIEM and what those setups might look like.


Brian Allen, CISSP
Information Security Manager
Washington University
brianallen at wustl.edu<mailto:brianallen at wustl.edu>
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/caa2130c/attachment.html 

More information about the Bro mailing list