[Bro] Bro-IDS integration to sguil
Christian Kreibich
christian at whoop.org
Tue Jul 4 09:20:32 PDT 2006
On Tue, 2006-07-04 at 07:27 -0700, Lee Sheng wrote:
> Hi all, I think I had previously mentioned the
> availabilities of brooery and Christian has replied
> with the answer that brooery is not ready yet and
> recommend me to try sguil. I have been long time user
> of sguil under production environment, and I would
> like to see the integration of bro-ids to provide
> alert data to sguil.
Yeah, that'd definitely be useful.
> While sguil integrates 4 forms of data including alert
> data that provided by snort, I think that's possible
> to have bro-IDS alert data sending to sguil as well. I
> have talked to the core developer of sguil - Bamm, and
> he told me that it can be done by having bro talking
> to the sensor_agent.tcl.
>
> I'm not that familiar with bro comparing to snort,
> thus I would like to know any pointer and reference
> that can help me to complete the integration of bro to
> sguil. Many Thanks.
You definitely want to check out the Broccoli library -- communication
with other nodes is intrinsic now in Bro, and Broccoli provides nearly
full-blown Bro communications endpoint functionality to external
applications:
http://www.cl.cam.ac.uk/~cpk25/broccoli/index.html
I'm not familiar with sensor_agent.tcl but instead of hacking more
support for external features into Bro, Broccoli is very likely the
better alternative. Indeed if we had Broccoli bindings to more languages
it'd become even easier, but finding the time is a problem right now...
> I think that would be lovely to have it done.
No doubt! Keep us posted.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list