[Bro] Bro Detections and Compliance Questions

Zeolla@GMail.com zeolla at gmail.com
Fri Mar 3 15:28:37 PST 2017


Another solution could be Apache Metron (previously OpenSOC).  It handles
pcap and bro logs natively, among other things.

Jon

On Fri, Mar 3, 2017, 6:24 PM Johanna Amann <johanna at icir.org> wrote:

> On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew Dellana wrote:
> > When a bro script detects something, how can you go about resolving the
> > issues that caused it (assuming it wasn't noise that caused it)? Is
> > there something that I change in Bro or is this something that would be
> > covered in the corporate compliance / security?
>
> You have to handle that either outside of Bro, or use something like
> netcontrol to change your network settings (if appropriate).
>
> > Following up with that what is the best practice to analyze the packet
> > captures from Bro to determine if there is an actual issue? I am
> > currently looking into Splunk as a log parser.
>
> There is a wide variety of tools used for the job, but Splunk is certainly
> popular. Others just operate directly on the logfiles; an ELK stack might
> be another solution.
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-- 

Jon

Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170303/5bd9ca6b/attachment.html 


More information about the Bro mailing list