[Bro] bro comparison to snort operation

John Babio jbabio at po-box.esu.edu
Wed Jun 26 10:50:08 PDT 2013 

Thank you Seth and Samuel. I appreciate the help. :)

On 6/26/13 1:42 PM, "Seth Hall" <seth at icir.org> wrote:

>
>On Jun 26, 2013, at 1:21 PM, John Babio <jbabio at po-box.esu.edu> wrote:
>
>> I need some clarification. I am trying to understand  the operations of
>>Bro and it relates to how snort operates. I am having a little trouble
>>with a few things.
>
>Don't try to draw those comparisons.  They're only going to lead to
>confusion for you. :)
>
>> 1.Where are default rules/signatures/scripts stored in the folder
>>structure?
>
><prefix>/share/bro
>
>> 2. What log file are we supposed to pay attention to? Communication,
>>Notices, Weird or all of them?
>
>Any and all logs could be important depending on what you're
>investigating.  Certain logs like communication.log, notice_policy.log,
>and loaded_scripts.log are Bro doing some internal accounting so that if
>you have questions about how it's behaving you may be to figure that out.
>
>In "normal" operation the weird log tends to be of less value too (please
>correct me if someone uses that a lot!).  Typically the most important
>logs are the ones that provide some sort of network activity logging
>(i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc)
>
>> 3. Where do we place custom bro scripts we write?
>
>I typically recommend that people place scripts into
><prefix>/share/bro/site/ and use the local.bro script in that directory
>to load their scripts.
>
>> 4. Is there a skeleton of a basic script somewhere so I know where to
>>start?
>
>I would take a look at the scripts in <prefix>/share/bro/policy/ (there
>are quite a few) to get a general feel of the land.  That directory and
>all of it's subdirectories are where most of the scripts are that detect
>various things.
>
>> 5. Where in Bro to I specify sending the data to an external ELSA
>>server?
>
>That is something you'll have to do outside of Bro.  We don't have any
>direct integration at this point in time.  The SecurityOnion project
>should be able to provide some guidance there since they ship with Bro
>logs integrated in ELSA
>
>  .Seth
>
>--
>Seth Hall
>International Computer Science Institute
>(Bro) because everyone has a network
>http://www.bro.org/
>

More information about the Bro mailing list