[Bro] bro question with SIEM

Brant Hale branthale at gmail.com
Fri Oct 31 13:08:51 PDT 2014


Brian,

I also have Qradar and am looking to supplement it with BRO - mainly the
Security Onion platform.    The systems have some overlap,  I suspect that
they are just going to want raw network data as they have their own tools
to pull info out.   I am planning on sending my syslog data to Qradar and
pulling the BRO data from a network tap.   So both systems will run in
parallel not one reporting to the other.

Do let us know what you end up with.

Brant


On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian <brianallen at wustl.edu> wrote:

>  Hi -
>
>  Our Medschool uses the IBM Qradar SIEM tool, and we have a project to
> expand it to cover the rest of the University.  Since we have a SEIM now, I
> figured I might as well put the best logs I have in it -  which include BRO
> logs: http, dns, conn, etc.
>
>  IBM is asking me the following question:  Is BRO able to forward raw
> flow data that has not been normalized or altered?
>
>   I'm pretty sure the answer is no because I have worked with raw flow
> data with flow-tools a lot, but I wanted to post it here to make sure, plus
> see if anyone is using BRO with a SIEM and what those setups might look
> like.
>
>  Thanks,
> -Brian
>
>   Brian Allen, CISSP
> Information Security Manager
> Washington University
> brianallen at wustl.edu
> 314-935-5380
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/c3ccbbd5/attachment.html 


More information about the Bro mailing list