Hi all, I think I had previously mentioned the
availabilities of brooery and Christian has replied
with the answer that brooery is not ready yet and
recommend me to try sguil. I have been long time user
of sguil under production environment, and I would
like to see the integration of bro-ids to provide
alert data to sguil.
While sguil integrates 4 forms of data including alert
data that provided by snort, I think that's possible
to have bro-IDS alert data sending to sguil as well. I
have talked to the core developer of sguil - Bamm, and
he told me that it can be done by having bro talking
to the sensor_agent.tcl.
I'm not that familiar with bro comparing to snort,
thus I would like to know any pointer and reference
that can help me to complete the integration of bro to
sguil. Many Thanks.
I think that would be lovely to have it done.
Hi all, I think I had previously mentioned the
availabilities of brooery and Christian has replied
with the answer that brooery is not ready yet and
recommend me to try sguil. I have been long time user
of sguil under production environment, and I would
like to see the integration of bro-ids to provide
alert data to sguil.
Yeah, that'd definitely be useful.
While sguil integrates 4 forms of data including alert
data that provided by snort, I think that's possible
to have bro-IDS alert data sending to sguil as well. I
have talked to the core developer of sguil - Bamm, and
he told me that it can be done by having bro talking
to the sensor_agent.tcl.
I'm not that familiar with bro comparing to snort,
thus I would like to know any pointer and reference
that can help me to complete the integration of bro to
sguil. Many Thanks.
You definitely want to check out the Broccoli library -- communication
with other nodes is intrinsic now in Bro, and Broccoli provides nearly
full-blown Bro communications endpoint functionality to external
applications:
Broccoli — The Bro client communications library
I'm not familiar with sensor_agent.tcl but instead of hacking more
support for external features into Bro, Broccoli is very likely the
better alternative. Indeed if we had Broccoli bindings to more languages
it'd become even easier, but finding the time is a problem right now...
I think that would be lovely to have it done.
No doubt! Keep us posted.
Cheers,
Christian.
Hello Lee,
The question is what sort of data sguil is waiting for :
text, binaries, syslog ?
Bro is able to send data using various methods so as soon as
we know what do we need to send, we'll see how doing this.
Best regards.
PS: i find your idea very good.
Best regards.