[Bro] Bro Detections and Compliance Questions

Johanna Amann johanna at icir.org
Fri Mar 3 15:16:15 PST 2017


On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew Dellana wrote:
> When a bro script detects something, how can you go about resolving the
> issues that caused it (assuming it wasn't noise that caused it)? Is
> there something that I change in Bro or is this something that would be
> covered in the corporate compliance / security?

You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).

> Following up with that what is the best practice to analyze the packet
> captures from Bro to determine if there is an actual issue? I am
> currently looking into Splunk as a log parser.

There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.

Johanna


More information about the Bro mailing list