[Bro] Bro & OSSEC?

scott campbell scampbell at lbl.gov
Tue Dec 26 14:23:07 PST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please see comments in line ..

Kurt wrote:
> Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions:
> 
> 1. Has anyone had any experience Bro and OSSEC together? 
As far as I know, there has been no interaction between the two
projects.  Seems like a natural fit though.


> 2. Is there any interest in the Bro community for some sort of interface into OSSEC? 
After reading the ossec web page, I suspect that there might be a
general interest in this.  Personally I think it is an excellent idea.
See #3.

> 3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory.
The one question that I would have is regarding the direction of
integration.  If you are not a big bro user, it seems natural to just
take bro as an additional data source and be done with it.

- From my perspective, it might be interesting to be able to use ossec as
a way to feed interesting information into bro and let it correlate
incoming network connections with host based events.  There has been
some work with this with syslog, ssh and apache logs via the broccoli
library.

For more examples of this, look on the bro web site:

http://www.bro-ids.org

and my personal site www.nersc.gov/~scottc under "Notes on new Bro
functionality"

cheers,

scott



> 
> Thanks.
>  
> Kurt
> perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print" 
> My Blog: http://kwoon.blogspot.com
> PGP Public Key (0x71D25CDA) @ http://cryptonomicon.mit.edu/
> -----
> Inveniemus viam aut faciemus --Hannibal
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFFkaDLK2Plq8B7ZBwRAp2+AKCspWSC31/hfibBYz3lZuVtt++Y6QCgrSfQ
n7s94xmYT8Nxp0U0RuP3pXQ=
=VPNP
-----END PGP SIGNATURE-----

More information about the Bro mailing list