[Bro] Input to quarantine system

Martin Holste mcholste at gmail.com
Thu Oct 18 12:37:58 PDT 2012


This could be done with an ELSA connector (I know, I'm referring to
ELSA, shocker!) that wrote directly to the database.  ELSA includes a
connector for CIF that does just that and could be easily edited to
become a custom input connector.  If you're interested, let me know,
and I'll write it for you.

On Thu, Oct 18, 2012 at 2:18 PM, Tyler T. Schoenke
<tyler.schoenke at colorado.edu> wrote:
> Hi All,
>
> We are rewriting a helper service for due to internal changes in our
> network security environment.  We currently send Bro alarms via email to
> our Request Tracker (RT) database, and call the old helper to parse the
> email, and gather user information so we can quarantine infected
> machines.   That works decent, but I was wondering if there is a better
> way to do this.  Perhaps some method that is easier to parse.   We need
> to feed some XML into an API for our Network Access Control.
>
> We primarily need IP, timestamp, and a short description of the alarm.
> Right now, timestamp isn't included in the emailed alarms.   Is there a
> better way to send alarms in an easily parsable format?  Is there an
> easy way to bulk include timestamp in all alarms?
>
> Thanks,
>
> Tyler
>
> --
> --
> Tyler Schoenke
> Network Security Manager
> IT Security Office
> University of Colorado at Boulder
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list