[Bro] Bro and filesystem data on a host (UNCLASSIFIED)
Fair, Charles A SSG USARMY NG NGB ARNG PEC (US)
charles.a.fair2.mil at mail.mil
Wed Feb 27 09:03:51 PST 2013
Classification: UNCLASSIFIED
Caveats: NONE
If I understand correctly, the input framework is the way that log files,
for instance from a host, can be ingested by Bro? One of the things I was
interested in doing was identifying key information from a log, such as a MS
Windows Event log, via event viewer to syslog, with network traffic. This
would be similar to how Bro can analyze SSL Certs.
What I was wondering about was what could Bro do with a filesystem beyond
log files? An example on a MS system would be identifying the last run time
of a file via prefetch data that was communicating over a socket, that was
identified by Bro. Of course this is assuming that Bro has access to the
filesystem of the system in question.
Regards,
SSG Charles "Chuck" A. Fair
Information Systems/Information Assurance NCO
Information Technology Training Center, PEC, Camp Robinson AR
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: Wednesday, February 27, 2013 10:52 AM
To: Fair, Charles A SSG USARMY NG NGB ARNG PEC (US)
Cc: bro at bro-ids.org; Seth Hall
Subject: Re: Bro and filesystem data on a host (UNCLASSIFIED)
On Feb 27, 2013, at 11:45 AM, "Fair, Charles A SSG USARMY NG NGB ARNG PEC
(US)" <charles.a.fair2.mil at mail.mil> wrote:
> We spoke at the 2012 Bro Exchange about how Bro can be used on a
filesystem of a host or such, brain a bit fuzzy this early in the morning at
10:36 :) Could you expand on the topic a bit/point me in the right
direction?
How are you looking to use it? We have the input framework in 2.1 for
reading from inputs that we have plugins for (essentially only Bro logs and
text files right now). We may have quite a bit more functionality regarding
that in 2.2.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
Classification: UNCLASSIFIED
Caveats: NONE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5627 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130227/c01f6d90/attachment.bin
More information about the Bro
mailing list