I've not heard of anything formal. Since there is a Python interface for Broccoli, the quickest method would be to have Suricata output to syslog on a local off port, then have a Python script listen on that local port and do the Bro conversion there. That might be a good way to get a proof-of-concept going to see if there's value there.<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Nov 29, 2012 at 10:04 AM, Daniel Wyschogrod <span dir="ltr"><<a href="mailto:dwyschogrod@bbn.com" target="_blank">dwyschogrod@bbn.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
Some of the work we're hoping to incorporate with Suricata involves
correlating multiple flows for various services. We were considering
using Bro for this, with Suricata detections being used as input. One
simple method would involve using Suricata detections feeding into
Barnyard2 and then Barnyard2 sending alerts to Bro via Broccoli. It
would be more efficient to directly add Broccoli calls to Suricata. Has
there been any work along these lines that anybody has heard of?<br>
<br>
Thanks,<br>
Dan<span class="HOEnZb"><font color="#888888"><br>
<div>-- <br>________________<br>
<span style="font-weight:bold">Dan Wyschogrod</span><br>
<br>
<span style="font-style:italic">Senior Scientist</span><br>
<span style="font-style:italic">Cyber Security</span><br style="font-style:italic">
<span style="font-style:italic">Raytheon/BBN Technologies</span><br>
<br>
<a href="mailto:dwyschogrod@bbn.com" target="_blank">dwyschogrod@bbn.com</a><br>
<br>
</div>
</font></span></div>
<br>_______________________________________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br></blockquote></div><br></div>