[Bro] Some sample using bro as a post correlator?

Seth Hall seth at icir.org
Tue Oct 4 07:18:11 PDT 2011


On Oct 4, 2011, at 8:25 AM, carlopmart wrote:

> On 10/01/2011 07:28 PM, carlopmart wrote:
>> I have configured a pcap output filter on my snort sensor. Can I use
>> bro-ids as realtime correlator using this configuration?? Some sample
>> how can I do this??
> 
> Any hints??


I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger.  Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within.

Alternately, you can use the Bro output plugin that Barnyard2 has.  The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it.  At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules.  Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list