[Bro] First use of Bro
seth at remor.com
Wed Jul 14 05:06:35 PDT 2010
On Jul 13, 2010, at 10:39 PM, Ben Rosenberg wrote:
> I have started poking around some of the scripts and trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything is working well.
> I have created a few patches to fix small problems I had or add features that I was looking for.
> - Patched main.cc to add the -N command line flag.
> - Removed duplicate login_non_failure_msgs from policy/login.bro.
> - Commented out example in policy/scan.bro.
> - Edited policy/ssh.bro to print what port is being used for ssh servers.
> - Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports.
> - Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree
It would be best to submit these as patch tickets into the tracker at: http://tracker.icir.org/bro/
I'll coordinate with you off-list for getting a tracker account set up. We removed the ability for people to create their own accounts due to abuse.
> I also started to convert the 6000+ Nmap service probe signatures into dpd signatures.
Unfortunately, without a corresponding analyzer the most you can do is log what protocol was possibly seen on the connection. I've thought of doing the same thing before and it's pretty easy at least. The only reason I stopped was that there weren't too many worthwhile protocols, but I was looking at the regex's from the l7-filters project. Maybe the nmap signatures are better?
I have a set of scripts you may be interested in checking out at:
Let me know if you have any questions.
More information about the Bro