[Bro] Bro Digest, Vol 3, Issue 11
CS Lee
geek00l at gmail.com
Sat Jul 15 15:12:59 PDT 2006
Christian,
That's awesome. Thanks a lot.
On 7/14/06, bro-request at icsi.berkeley.edu <bro-request at icsi.berkeley.edu>
wrote:
>
> Send Bro mailing list submissions to
> bro at ICSI.Berkeley.EDU
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at ICSI.Berkeley.EDU
>
> You can reach the person managing the list at
> bro-owner at ICSI.Berkeley.EDU
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: bro-ids + sguil (Christian Kreibich)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 13 Jul 2006 15:53:01 +0200
> From: Christian Kreibich <christian at whoop.org>
> Subject: Re: [Bro] bro-ids + sguil
> To: Lee Sheng <darkxer05 at yahoo.com>
> Cc: bro at ICSI.Berkeley.EDU
> Message-ID: <1152798781.446.29.camel at strangepork>
> Content-Type: text/plain
>
> Hi Lee,
>
> On Wed, 2006-07-12 at 03:50 -0700, Lee Sheng wrote:
> > Christian,
> >
> > I have read a lot regarding brocolli
>
> It's "Broccoli". Like the food. Two "c"s, one "l". :^)
>
> > and it seems that's what needed to code with instead of hacking bro
> > src. Especially brocolli able to talk to bro to extract the
> > information it needs. From my experience about sguil, that's how snort
> > get to talk to sguil in this form -
> >
> > snort -> barnyard(snort native db output plugin that hacked to work
> > with sguil sensor) -> sguil sensor -> sguil server
> >
> > Previously sguil developers mod the snort for it's portscan data and
> > now no longer needed and instead just need to mod the barnyard. Is it
> > similar to bro as well where
> >
> > bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor ->
> > sguil server
>
> Please don't make any changes to Broccoli that add features irrelevant
> to Bro's communication protocol, since such patches will never get in.
> Rather, I'd suggest writing a translator or something that uses Broccoli
> to receive Bro events, then translates them into whatever sguil needs,
> and forwards that on to the sguil sensor. Kind of like this:
>
> bro-ids -> bro2sguil translator -> sguil server.
>
> That translator would effectively function as a sguil sensor.
> Alternatively, if the sguil server is sufficiently flexible, it'll just
> get a new Bro module in addition to other things it can talk to.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at ICSI.Berkeley.EDU
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 3, Issue 11
> **********************************
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060716/06fbbc3d/attachment.html
More information about the Bro
mailing list