Another solution could be Apache Metron (previously OpenSOC).  It handles pcap and bro logs natively, among other things.


On Fri, Mar 3, 2017, 6:24 PM Johanna Amann <> wrote:
On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew Dellana wrote:
> When a bro script detects something, how can you go about resolving the
> issues that caused it (assuming it wasn't noise that caused it)? Is
> there something that I change in Bro or is this something that would be
> covered in the corporate compliance / security?

You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).

> Following up with that what is the best practice to analyze the packet
> captures from Bro to determine if there is an actual issue? I am
> currently looking into Splunk as a log parser.

There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.

Bro mailing list


Sent from my mobile device