[Bro] Is there a quickstart method?

Christian Kreibich christian at whoop.org
Tue Nov 28 23:12:56 PST 2006


On Tue, 2006-11-28 at 10:42 -0600, David Caldwell wrote:
> We are trying to upgrade our security situation here, and in  
> order to get our customer to go along with it we have to show good  
> reason why we need it.

David, just two quick additions to what Robin said:

- Our marketing department just might fire me for saying this, but if
you just want to show people how bad things are then you might not need
anything as sophisticated as Bro. For example, compare the number of
valid connection requests in your sshd log to invalid ones -- my little
DSL-connected box at home got hit around 400 times per day with
malicious log-in attempts before I moved sshd to a different port.
Looking at Apache logs might give you a similar picture.

- Speaking of different ports, a scenario in which Bro definitely
*could* shine is detecting app-layer protocols on unusual ports, thanks
to the new DPD framework:

  http://www.bro-ids.org/wiki/index.php/DynamicProtocolDetection

As an example, you could use the IRC detector to find IRC-based botnets
on arbitrary ports that way.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org




More information about the Bro mailing list