When a bro script detects something, how can you go about resolving the issues that caused it (assuming it wasn’t noise that caused it)? Is there something that I change in Bro or is this something that would be covered in the corporate compliance / security?


Following up with that what is the best practice to analyze the packet captures from Bro to determine if there is an actual issue? I am currently looking into Splunk as a log parser.





Best regards,


Andrew Dellana