bro question with SIEM

Hi -

Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover the rest of the University. Since we have a SEIM now, I figured I might as well put the best logs I have in it - which include BRO logs: http, dns, conn, etc.

IBM is asking me the following question: Is BRO able to forward raw flow data that has not been normalized or altered?

I’m pretty sure the answer is no because I have worked with raw flow data with flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using BRO with a SIEM and what those setups might look like.

Thanks,
-Brian

Brian Allen, CISSP
Information Security Manager
Washington University
brianallen@wustl.edu
314-935-5380

Brian,

I also have Qradar and am looking to supplement it with BRO - mainly the Security Onion platform. The systems have some overlap, I suspect that they are just going to want raw network data as they have their own tools to pull info out. I am planning on sending my syslog data to Qradar and pulling the BRO data from a network tap. So both systems will run in parallel not one reporting to the other.

Do let us know what you end up with.

Brant

You could send the logs or even the raw bro events.

I’m not sure what they mean by raw flow data, but am guessing they mean like v9 netflows. That it won’t do.

We setup the Linux’s Syslog-NG v3x to monitor and forward the logs to Log Siphon’s Syslog daemon.

Below is a example syslog.conf setup.

Thanks!

Below is the sample settings for syslog-ng.conf concerning sending the Bro2 logs to Log Siphon; items in dark red ARE required.

• #BRO IDS
  source s1_broHttp { file("/opt/bro2/spool/bro/http.log" follow_freq(1)); };
  source s1_broConn { file("/opt/bro2/spool/bro/conn.log" follow_freq(1)); };
  source s1_broDNS { file("/opt/bro2/spool/bro/dns.log" follow_freq(1)); };
  source s1_broFILES { file("/opt/bro2/spool/bro/files.log" follow_freq(1)); };
  source s1_broSMTP { file("/opt/bro2/spool/bro/smtp.log" follow_freq(1)); };
  source s1_broSMTPentities { file("/opt/bro2/spool/bro/smtp_entities.log" follow_freq(1)); };
  source s1_broSoftware { file("/opt/bro2/spool/bro/software.log" follow_freq(1)); };
  source s1_broSNMP { file("/opt/bro2/spool/bro/snmp.log" follow_freq(1)); };
  source s1_broSSL { file("/opt/bro2/spool/bro/ssl.log" follow_freq(1)); };
  source s1_broDPD { file("/opt/bro2/spool/bro/dpd.log" follow_freq(1)); };
  source s1_broNotice { file("/opt/bro2/spool/bro/notice.log" follow_freq(1)); };
  source s1_broSSH { file("/opt/bro2/spool/bro/ssh.log" follow_freq(1)); };
  source s1_broSYSLOG { file("/opt/bro2/spool/bro/syslog.log" follow_freq(1)); };
  source s1_broFTP { file("/opt/bro2/spool/bro/ftp.log" follow_freq(1)); };
  source s1_broTUNNEL { file("/opt/bro2/spool/bro/tunnel.log" follow_freq(1)); };
  source s1_broX509 { file("/opt/bro2/spool/bro/x509.log" follow_freq(1)); };

  source s1_broDHCP { file("/opt/bro2/spool/bro/dhcp.log" follow_freq(1)); };

  destination logsiphon1 { udp(“X.X.X.X” port(514) template(“BRO2 HTTP → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon2 { udp(“X.X.X.X” port(514) template(“BRO2 CONN → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon3 { udp(“X.X.X.X” port(514) template(“BRO2 DNS → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon4 { udp(“X.X.X.X” port(514) template(“BRO2 SMTP → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon5 { udp(“X.X.X.X” port(514) template(“BRO2 SMTP_ENTITIES → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon6 { udp(“X.X.X.X” port(514) template(“BRO2 SOFTWARE → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon7 { udp(“X.X.X.X” port(514) template(“BRO2 SSL → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon8 { udp(“X.X.X.X” port(514) template(“BRO2 DPD → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon9 { udp(“X.X.X.X” port(514) template(“BRO2 NOTICE → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon10 { udp(“X.X.X.X” port(514) template(“BRO2 FTP → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon11 { udp(“X.X.X.X” port(514) template(“BRO2 SSH → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon12 { udp(“X.X.X.X” port(514) template(“BRO2 SYSLOG → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon13 { udp(“x.x.x.x” port(514) template(“BRO2 TUNNEL → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon14 { udp(“x.x.x.x” port(514) template(“BRO2 FILES → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon15 { udp(“x.x.x.x” port(514) template(“BRO2 SNMP → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };
  destination logsiphon16 { udp(“x.x.x.x” port(514) template(“BRO2 X509 → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };

  destination logsiphon17 { udp(“x.x.x.x” port(514) template(“BRO2 DHCP → $FULLDATE $PROGRAM $MSGONLY \n”) template_escape(no)); };

  log { source(s1_broHttp); destination(logsiphon1); };
  log { source(s1_broConn); destination(logsiphon2); };
  log { source(s1_broDNS); destination(logsiphon3); };
  log { source(s1_broSMTP); destination(logsiphon4); };
  log { source(s1_broSMTPentities); destination(logsiphon5); };
  log { source(s1_broSoftware); destination(logsiphon6); };
  log { source(s1_broSSL); destination(logsiphon7); };
  log { source(s1_broDPD); destination(logsiphon8); };
  log { source(s1_broNotice); destination(logsiphon9); };
  log { source(s1_broFTP); destination(logsiphon10); };
  log { source(s1_broSSH); destination(logsiphon11); };
  log { source(s1_broSYSLOG); destination(logsiphon12); };
  log { source(s1_broTUNNEL); destination(logsiphon13); };
  log { source(s1_broFILES); destination(logsiphon14); };
  log { source(s1_broSNMP); destination(logsiphon15); };
  log { source(s1_broX509); destination(logsiphon16); };

  log { source(s1_broDHCP); destination(logsiphon17); };

Ron Jenkins (Owner / Senior Architect)

RMJ Consulting, LLC. “Bringing Companies and Solutions Together”

11715 Bricksome Ave STE B-7

Baton Rouge, LA 70816

Toll: 855-448-5214

Direct. 225-448-5214 Ext #101

Fax. 225-448-5324

Cell. 225-931-1632

Email. rjenkins@rmjconsulting.net

Web. http://www.rmjconsulting.net

Log Siphon. http://www.logsiphon.com

Linkedin. www.linkedin.com/in/ronmjenkins/

Twitter**:** www.twitter.com/RMJConsulting

RMJ Consulting’s Technology Corner. https://www.rmjconsulting.net/main/paper.php

They definitely mean netflowv5 or 9. Bro can’t do this, but you probably could generate flows from the same device you’re running Bro on. I’m pretty sure there are some open source options here.

We were going to do that once with Bro & Argus on the same boxes. But then we got better flow data from the routers with a network upgrade and moved to just setting up a single collector box.