[Bro] Some sample using bro as a post correlator?
carlopmart
carlopmart at gmail.com
Thu Oct 6 04:07:11 PDT 2011
On 10/04/2011 04:18 PM, Seth Hall wrote:
>
> On Oct 4, 2011, at 8:25 AM, carlopmart wrote:
>
>> On 10/01/2011 07:28 PM, carlopmart wrote:
>>> I have configured a pcap output filter on my snort sensor. Can I use
>>> bro-ids as realtime correlator using this configuration?? Some sample
>>> how can I do this??
>>
>> Any hints??
>
>
> I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger. Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within.
>
> Alternately, you can use the Bro output plugin that Barnyard2 has. The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it. At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules. Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts.
>
> .Seth
>
> --
Sorry Seth for my later response. At this moment, my "problem" can be
resolved if bro-ids can take output from barnyard2. Is it possible do
this using 1.5.3 release or do I need to use release from git repository??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Bro
mailing list