[Bro] Something is not clear to me concerning reporting
ian at south-border.com
Wed Oct 17 15:11:09 PDT 2012
On Oct 17, 2012, at 5:41 PM, Ian Dickens <ian at south-border.com> wrote:
> So, lets say that I have tcp ports 587 and 993 exposed on my firewall. I have bro running as a cluster on all interfaces. I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries. No alerts in email either (that I have seen). Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded.
> The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:
> can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.
> Many thanks in advance, Sorry for rambling and if these are features in the works…
> Bro mailing list
> bro at bro-ids.org
Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.
P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….
More information about the Bro