23 Feb
2017
23 Feb
'17
6:20 a.m.
Hello,
When a bro script detects something, how can you go about resolving the issues that caused
it (assuming it wasn't noise that caused it)? Is there something that I change in Bro
or is this something that would be covered in the corporate compliance / security?
Following up with that what is the best practice to analyze the packet captures from Bro
to determine if there is an actual issue? I am currently looking into Splunk as a log
parser.
Best regards,
Andrew Dellana
Intern
________________________
3 Mar
3 Mar
3:16 p.m.
On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew Dellana wrote:
When a bro script detects something, how can you go
about resolving the
issues that caused it (assuming it wasn't noise that caused it)? Is
there something that I change in Bro or is this something that would be
covered in the corporate compliance / security?
You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).
Following up with that what is the best practice to
analyze the packet
captures from Bro to determine if there is an actual issue? I am
currently looking into Splunk as a log parser.
There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.
Johanna
3:28 p.m.
Another solution could be Apache Metron (previously OpenSOC). It handles
pcap and bro logs natively, among other things.
Jon
On Fri, Mar 3, 2017, 6:24 PM Johanna Amann <johanna(a)icir.org> wrote:
On Thu, Feb 23, 2017 at 02:20:37PM +0000, Andrew
Dellana wrote:
--
Jon
Sent from my mobile device
When a bro script detects something, how can you
go about resolving the
issues that caused it (assuming it wasn't noise that caused it)? Is
there something that I change in Bro or is this something that would be
covered in the corporate compliance / security?
You have to handle that either outside of Bro, or use something like
netcontrol to change your network settings (if appropriate).
Following up with that what is the best practice
to analyze the packet
captures from Bro to determine if there is an actual issue? I am
currently looking into Splunk as a log parser.
There is a wide variety of tools used for the job, but Splunk is certainly
popular. Others just operate directly on the logfiles; an ELK stack might
be another solution.
Johanna
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
1941
days inactive
1949
days old
2 comments
3 participants
participants (3)
-
Andrew Dellana -
Johanna Amann -
Zeolla@GMail.com