[Bro] Is there a quickstart method?

Robin Sommer robin at icir.org
Tue Nov 28 19:35:34 PST 2006

On Tue, Nov 28, 2006 at 10:42 -0600, you wrote:

> The intended purpose of the Bro install I am working on is to monitor  
> incoming traffic only. To break it down simply I want to track only  
> those incoming events that would appear to be malicious (ssh, telnet,  
> etc).

In general, it's not really possible to restrict Bro's *analysis* to
only incoming traffic. The main reason here is that from Bro's
policy-neutral perspective it's hard to tell what "incoming"
actually means. 

Three ideas, depending on what exactly you want to achieve (which is
not completely clear to me):

First, you can filter the *alerts* so that only activity regarding
local hosts is reported. That's possible by writing a corresponding
notice-policy (see notice-policy.bro, or ask me again if you need
more details).

Second, if you're interested in a log of all incoming connections
(or incoming connections to certain ports like ssh etc.), conn.log
marks locally initiated connections with an "L" and remotely
initiated ones with an "X" (once you've configured your local
networks in site.bro). This is easily grep'able (or you can hack
conn.bro to not even output the local connections[1]). 

Third, firewall.bro allows you to define "firewall-like" rules
(e.g., "no external hosts are allowed to connect to any local telnet
port") and raises alerts if one is violated. It's not well
documented (um, not at all?), so again please ask for details if
you're interested in this functionality.

Does this help?


[1] In general you could hack any script to suppress its output for
local connections but by default they don't provide this

Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list