[Bro] IPS Functionality in BRO

Vern Paxson vern at icir.org
Tue Aug 1 23:00:06 PDT 2006


> const terminate_successful_inbound_service: table[port] of string = {
>               [22/tcp] = "SSH",
> } &redef;
> 
> also i did change the ssh.bro to the following .
> 
> redef restrict_filters += { ["ssh"] = "port 22" };
> 
> But in vain , i could NOT prevent the ssh traffic.

Do you get any output?  Is the "rst" tool in your path and setuid root so
it can forge tear-down traffic?

		Vern



More information about the Bro mailing list