Bro Detections and Compliance Questions

Hello,

When a bro script detects something, how can you go about resolving the issues that caused it (assuming it wasn’t noise that caused it)? Is there something that I change in Bro or is this something that would be covered in the corporate compliance / security?

Following up with that what is the best practice to analyze the packet captures from Bro to determine if there is an actual issue? I am currently looking into Splunk as a log parser.

Best regards,

Andrew Dellana

Intern

When a bro script detects something, how can you go about resolving the
issues that caused it (assuming it wasn't noise that caused it)? Is
there something that I change in Bro or is this something that would be
covered in the corporate compliance / security?

You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).

Following up with that what is the best practice to analyze the packet
captures from Bro to determine if there is an actual issue? I am
currently looking into Splunk as a log parser.

There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.

Johanna

Another solution could be Apache Metron (previously OpenSOC). It handles pcap and bro logs natively, among other things.

Jon