[Bro] Exporting bro alarms and notices
Louis F Ruppert
lruppert at syr.edu
Thu Nov 10 05:42:35 PST 2011
Hello.
If you're using 1.5.x, you can export alarms via syslog like this:
redef enable_syslog = T;
Some of my installations use prelude's LML to then pull the syslogged alerts in and mix them with the other NIDS/HIDS data.
If you're using 2.x beta, Martin did a good writeup here on how to use rsyslog to syslog them to another server:
http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html
I'm glad you asked about the IDMEF support. I've been making some noise for that as well. :)
-Lou
--
Lou Ruppert
Intrusion Analyst, GCFA
Information Security
Syracuse University
________________________________
From: bro-bounces at bro-ids.org [bro-bounces at bro-ids.org] on behalf of George Noseevich [ngo at lvk.cs.msu.su]
Sent: Thursday, November 10, 2011 8:07 AM
To: bro at bro-ids.org
Subject: [Bro] Exporting bro alarms and notices
Hello members of the mailing list.
What is the proper way to export alarms generated by bro for further
processing/import into another ids?
As far as I understand the docs, bro by default dumps generated alarms
to the file or can send them via email. Is there a way to extend bro to
enable e.g. storing alarms in a database? Or maybe there is a way to
subscribe to alarms from broccoli-enabled custom app (though as far as I
understand the docs, via broccoli one can only subscribe to bro's
events, not alerts or notices)?
The only way to achieve alarm export I see at the moment is to parse the
logfile, which is obviously an ugly cludge.
Thanks in advance for your answers.
PS. And could you please clarify what is the current status of IDMEF
support in bro?
--
George.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111110/b4fd5002/attachment.html
More information about the Bro
mailing list