[Bro] osquery integration

Robin Sommer robin at icir.org
Thu Feb 23 15:29:40 PST 2017


I wanted to send a pointer to a new integration project that Steffen
Haas presented at Bro4Pros recently: He wrote an osquery
(https://osquery.io) extension that connects the host monitor to Bro,
through Broker. The extension, along with a corresponding Bro script
framework, allows turning osquery's SQL-style queries into real-time
Bro event streams reflecting host-level activity. As an example, one
can ask osquery to send an event every time there's a new USB device
on a host, and then write a Bro script that processes these events as
they come in, just as any other Bro events. One can turn such host
activity into Bro log files for example, or correlate with the network
activity Bro is seeing.

The extension is currently in prototype state, we're working with the
osquery team to integrate it directly into their distribution---a
corresponding PR is open. In the meantime, we'd appreciate feedback,
either here on the list or through GitHub. You can find the project at
https://github.com/bro/bro-osquery .

For more context, see the Steffen's Bro4Pro slides:
https://www.bro.org//bro4pros2017/Haas_OSquery_Bro4Pros2017.pdf

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin


More information about the Bro mailing list