Bro & OSSEC?

Zeek
1

Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions:

1. Has anyone had any experience Bro and OSSEC together?
2. Is there any interest in the Bro community for some sort of interface into OSSEC?
3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory.

Thanks.

Kurt
perl -e "($_='tjgvlvsuAzbipp/dpn')=~s/(.)/chr(ord($1)-1)/ge;print"
My Blog: http://kwoon.blogspot.com
PGP Public Key (0x71D25CDA) @ http://cryptonomicon.mit.edu/

2

Please see comments in line ..

Kurt wrote:

Hello. I'm new to the list and still a relatively new user of Bro. I've been an avid user of OSSEC (http://www.ossec.net) for quite some time now, and I would like to start incorporating Bro into my network security posture. To that end, I have a couple questions:

1. Has anyone had any experience Bro and OSSEC together?

As far as I know, there has been no interaction between the two
projects. Seems like a natural fit though.

2. Is there any interest in the Bro community for some sort of interface into OSSEC?

After reading the ossec web page, I suspect that there might be a
general interest in this. Personally I think it is an excellent idea.
See #3.

3. Just to make sure I'm not stepping on anyone's toes, there aren't any formal projects underway to create such an interface between Bro and OSSEC are there? I would very much like to work on such a project, but if one is already in progress, I don't want to duplicate efforts or infringe on someone else's territory.

The one question that I would have is regarding the direction of
integration. If you are not a big bro user, it seems natural to just
take bro as an additional data source and be done with it.

- From my perspective, it might be interesting to be able to use ossec as
a way to feed interesting information into bro and let it correlate
incoming network connections with host based events. There has been
some work with this with syslog, ssh and apache logs via the broccoli
library.

For more examples of this, look on the bro web site:

and my personal site www.nersc.gov/~scottc under "Notes on new Bro
functionality"

cheers,

scott