[Bro] bro-ids + sguil

Christian Kreibich christian at whoop.org
Thu Jul 13 06:53:01 PDT 2006


Hi Lee,

On Wed, 2006-07-12 at 03:50 -0700, Lee Sheng wrote:
> Christian,
> 
> I have read a lot regarding brocolli

It's "Broccoli". Like the food. Two "c"s, one "l". :^)

> and it seems that's what needed to code with instead of hacking bro
> src. Especially brocolli able to talk to bro to extract the
> information it needs. From my experience about sguil, that's how snort
> get to talk to sguil in this form -
> 
> snort -> barnyard(snort native db output plugin that hacked to work
> with sguil sensor) -> sguil sensor -> sguil server
> 
> Previously sguil developers mod the snort for it's portscan data and
> now no longer needed and instead just need to mod the barnyard. Is it
> similar to bro as well where
> 
> bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor ->
> sguil server

Please don't make any changes to Broccoli that add features irrelevant
to Bro's communication protocol, since such patches will never get in.
Rather, I'd suggest writing a translator or something that uses Broccoli
to receive Bro events, then translates them into whatever sguil needs,
and forwards that on to the sguil sensor. Kind of like this:

  bro-ids -> bro2sguil translator -> sguil server.

That translator would effectively function as a sguil sensor.
Alternatively, if the sguil server is sufficiently flexible, it'll just
get a new Bro module in addition to other things it can talk to. 

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org




More information about the Bro mailing list