[Bro] Revisiting CEF formatted BRO Logs

Patrick Cain pcain at coopercain.com
Sat Aug 27 09:22:19 PDT 2016



In Arcsight speak: You could also just create a flex connector to read the
ascii/json bro logs and spit out CEF. The easy way is to create one flex for
each file you're reading; the much more fun way is to craft one big one that
handles all the different files using a multi-file reader (There is an old
project on github that did this.).


I took the one-flex-per-filetype approach. Took a few hours to get logs




From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Ward
Sent: Saturday, July 30, 2016 11:15 AM
To: Ludwig Goon <lagoon7 at gmail.com>; bro at bro.org
Subject: Re: [Bro] Revisiting CEF formatted BRO Logs


If I were in your shoes and assuming it's possible to add the sensor ID/name
to the bro logs, I would just add that one field (keeping the same format,
etc) and not rewrite everything for CEF.  

Then I would press HP support to give me the encrypted bro parser (they have
given me several parsers in the past) and write a parser override to account
for the new sensor/worker field.

Sorry this doesn't answer your question directly, but maybe this route is an
option for you.




From: bro-bounces at bro.org <mailto:bro-bounces at bro.org>  <bro-bounces at bro.org
<mailto:bro-bounces at bro.org> > on behalf of Ludwig Goon <lagoon7 at gmail.com
<mailto:lagoon7 at gmail.com> >
Sent: Thursday, July 28, 2016 9:53 AM
To: bro at bro.org <mailto:bro at bro.org> 
Subject: [Bro] Revisiting CEF formatted BRO Logs 


Can someone from the community provide more information or examples of using
log writer to create CEF formatted logs for consumption with Arcsight SIEMs?


it seems that we can not customize arcsight connectors for BRO logs however
since arcsight can accept CEF events directly I would like to experiment
with directly sending CEF formatted BRO events from the standard log set.


Additionally I have 5 BRO sensors and would like to tag each event with the
BRO sensor's hostname before sending it to arc sight. The default logs do
not allow that modification and documentation is not the greatest. If you
want to do this in Arcsight via the connector, which is a version or two
behind, the connector will not allow the adding of the hostname.


So I have attempted to write PERL and PYTHON converters but the performance
of tailing logs and sending all events is challenging. 


Also using brocut requires scripting and again not sure if I am sending ALL
log events.



In previous questions to the forum the answer was using the logging
framework however I have not seen anymore content on this subject. Thus here
is my formal request:


Can someone show how to use the logging framework to convert or have bro
output the http.log into CEF format? Also can I add custom fields such as
sensor-name and the end of the event or at the beginning near CEF:0.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160827/623fcd94/attachment.html 

More information about the Bro mailing list