You could send the logs or even the raw bro events.
I'm not sure what they mean by raw flow data, but am guessing they mean like v9
netflows. That it won't do.
On Oct 31, 2014, at 3:08 PM, Brant Hale
I also have Qradar and am looking to supplement it with BRO - mainly the Security Onion
platform. The systems have some overlap, I suspect that they are just going to want
raw network data as they have their own tools to pull info out. I am planning on sending
my syslog data to Qradar and pulling the BRO data from a network tap. So both systems
will run in parallel not one reporting to the other.
Do let us know what you end up with.
On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian
Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover
the rest of the University. Since we have a SEIM now, I figured I might as well put the
best logs I have in it - which include BRO logs: http, dns, conn, etc.
IBM is asking me the following question: Is BRO able to forward raw flow data that has
not been normalized or altered?
I'm pretty sure the answer is no because I have worked with raw flow data with
flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using
BRO with a SIEM and what those setups might look like.
Brian Allen, CISSP
Information Security Manager
Bro mailing list
Bro mailing list
Adam J. Slagell
Chief Information Security Officer
Assistant Director, Cybersecurity Directorate
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
"Under the Illinois Freedom of Information Act (FOIA), any written communication to
or from University employees regarding University business is a public record and may be
subject to public disclosure."