OS query Integration with Bro


Is there any mechanism to integrate osquery with Bro in RockNSM

Osquery comes with a powerful SQL abstractions layer to query hosts for various information that can be leveraged e.g. for network security. In standard deployment however, the hosts simply execute a statically defined schedule of queries, whose results might be useful for later analysis. Logs are forwarded to a central storage and can then be processed via arbitrary additional tools. With bro-osquery, we go beyond his standard use case with respect to several aspects. The intention of bro-osquery is to collect host and network data by a common platform and to provide the ability to correlate them for network monitoring and intrusion detection. When monitoring either hosts or the network alone, the other one is a blind spot in your monitoring. But when monitoring both, information from hosts and network can perfectly complement each other. With their correlation, you gain more detailed knowledge about the activities of hosts and achieve a better visibility on the complete network infrastructure. The principle of correlation is to link host information for processes that emit traffic with network information for the corresponding packets. In bro-osquery we implement this concept for the host monitor osquery and the Bro network IDS. By establishing a bi-directional publish-subscribe communication between osquery hosts and Bro, they can directly exchange data, i.e., SQL queries and their results. We provide a framework of Bro scripts that allows to run custom queries against all, individuals, or specific groups of hosts. Bro dynamically controls the query schedule of the hosts, retrieves and processes the corresponding data, and it can even asynchronously query hosts on demand for additional data.