Another solution could be Apache Metron (previously OpenSOC). It handles
pcap and bro logs natively, among other things.
On Fri, Mar 3, 2017, 6:24 PM Johanna Amann <johanna(a)icir.org> wrote:
On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew
When a bro script detects something, how can you
go about resolving the
issues that caused it (assuming it wasn't noise that caused it)? Is
there something that I change in Bro or is this something that would be
covered in the corporate compliance / security?
You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).
Following up with that what is the best practice
to analyze the packet
captures from Bro to determine if there is an actual issue? I am
currently looking into Splunk as a log parser.
There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.
Bro mailing list