[Bro] Bro Detections and Compliance Questions
zeolla at gmail.com
Fri Mar 3 15:28:37 PST 2017
Another solution could be Apache Metron (previously OpenSOC). It handles
pcap and bro logs natively, among other things.
On Fri, Mar 3, 2017, 6:24 PM Johanna Amann <johanna at icir.org> wrote:
> On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew Dellana wrote:
> > When a bro script detects something, how can you go about resolving the
> > issues that caused it (assuming it wasn't noise that caused it)? Is
> > there something that I change in Bro or is this something that would be
> > covered in the corporate compliance / security?
> You have to handle that either outside of Bro, or use something like
> netcontrol to change your network settings (if appropriate).
> > Following up with that what is the best practice to analyze the packet
> > captures from Bro to determine if there is an actual issue? I am
> > currently looking into Splunk as a log parser.
> There is a wide variety of tools used for the job, but Splunk is certainly
> popular. Others just operate directly on the logfiles; an ELK stack might
> be another solution.
> Bro mailing list
> bro at bro-ids.org
Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro