Some sample using bro as a post correlator?

Hi all,

  I have configured a pcap output filter on my snort sensor. Can I use bro-ids as realtime correlator using this configuration?? Some sample how can I do this??


Any hints??

I'm not exactly sure what you would be trying to accomplish in this scenario but what I would expect is that you would receive individual packets that caused a snort rule to trigger. Individual packets are going to be somewhat useless to Bro since Bro's analysis model is to fully reassemble streams and analyze the protocols contained within.

Alternately, you can use the Bro output plugin that Barnyard2 has. The next release of Bro has a script for taking the output from Snort/Suricata from Barnyard2 and logging it. At some point once we identify beneficial correlation techniques we will probably start adding out of the box correlations for Snort/Suricata rules. Right now you will have to write you own script if you want to do correlation or suppression of Snort/Suricata alerts.


Sorry Seth for my later response. At this moment, my "problem" can be resolved if bro-ids can take output from barnyard2. Is it possible do this using 1.5.3 release or do I need to use release from git repository??


Just curious, what is it you want to do initially with the imported
Snort alerts? What kind of correlation are you planning to do?