bro-ids + sguil

Zeek
1

Christian,

I have read a lot regarding brocolli and it seems that’s what needed to code with instead of hacking bro src. Especially brocolli able to talk to bro to extract the information it needs. From my experience about sguil, that’s how snort get to talk to sguil in this form -

snort → barnyard(snort native db output plugin that hacked to work with sguil sensor) → sguil sensor → sguil server

Previously sguil developers mod the snort for it’s portscan data and now no longer needed and instead just need to mod the barnyard. Is it similar to bro as well where

bro-ids → brocolli(hack to work with sguil sensor) → sguil sensor → sguil server

I also take a look at brooery to get the better idea of how bro needed to put into gui context. It seems that brooery is not real time notification system, and indeed it targets on enhancing the analysis capabilities, while this is already been achieved in sguil, I think it should get real time notification for alarm event and analyse on the fly when possible.

Thanks.

2

Hi Lee,

Christian,

I have read a lot regarding brocolli

It's "Broccoli". Like the food. Two "c"s, one "l". :^)

and it seems that's what needed to code with instead of hacking bro
src. Especially brocolli able to talk to bro to extract the
information it needs. From my experience about sguil, that's how snort
get to talk to sguil in this form -

snort -> barnyard(snort native db output plugin that hacked to work
with sguil sensor) -> sguil sensor -> sguil server

Previously sguil developers mod the snort for it's portscan data and
now no longer needed and instead just need to mod the barnyard. Is it
similar to bro as well where

bro-ids -> brocolli(hack to work with sguil sensor) -> sguil sensor ->
sguil server

Please don't make any changes to Broccoli that add features irrelevant
to Bro's communication protocol, since such patches will never get in.
Rather, I'd suggest writing a translator or something that uses Broccoli
to receive Bro events, then translates them into whatever sguil needs,
and forwards that on to the sguil sensor. Kind of like this:

  bro-ids -> bro2sguil translator -> sguil server.

That translator would effectively function as a sguil sensor.
Alternatively, if the sguil server is sufficiently flexible, it'll just
get a new Bro module in addition to other things it can talk to.

Cheers,
Christian.