Thank you Seth and Samuel. I appreciate the help. :)
On 6/26/13 1:42 PM, "Seth Hall" <seth(a)icir.org> wrote:
On Jun 26, 2013, at 1:21 PM, John Babio <jbabio(a)po-box.esu.edu> wrote:
I need some clarification. I am trying to
understand the operations of
Bro and it relates to how snort operates. I am having a little trouble
with a few things.
Don't try to draw those comparisons. They're only going to lead to
confusion for you. :)
1.Where are default rules/signatures/scripts
stored in the folder
2. What log file are we supposed to pay attention
Notices, Weird or all of them?
Any and all logs could be important depending on what you're
investigating. Certain logs like communication.log, notice_policy.log,
and loaded_scripts.log are Bro doing some internal accounting so that if
you have questions about how it's behaving you may be to figure that out.
In "normal" operation the weird log tends to be of less value too (please
correct me if someone uses that a lot!). Typically the most important
logs are the ones that provide some sort of network activity logging
(i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc)
3. Where do we place custom bro scripts we write?
I typically recommend that people place scripts into
<prefix>/share/bro/site/ and use the local.bro script in that directory
to load their scripts.
4. Is there a skeleton of a basic script
somewhere so I know where to
I would take a look at the scripts in <prefix>/share/bro/policy/ (there
are quite a few) to get a general feel of the land. That directory and
all of it's subdirectories are where most of the scripts are that detect
5. Where in Bro to I specify sending the data to
an external ELSA
That is something you'll have to do outside of Bro. We don't have any
direct integration at this point in time. The SecurityOnion project
should be able to provide some guidance there since they ship with Bro
logs integrated in ELSA
International Computer Science Institute
(Bro) because everyone has a network