[Bro] Bro programming intro
hhoffman at ip-solutions.net
Tue Mar 19 11:06:59 PDT 2013
Wow!!! What the heck did it cost to get that domain name???
Congrats. Educause SPC is coming up and I'm sure Bro is going to be a
hot topic of conversation :-)
On 03/19/2013 01:34 PM, Seth Hall wrote:
> On Mar 19, 2013, at 12:41 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
>> The ability to work with items outside of BroNSM to me is useful and easier than rewriting a BroNSM script and restarting a cluster when I want to look at something differently or trim logs.
> We're even moving away from "NSM" now.
>> I am very selective with using email as an alert mechanism.
> I fully believe this will expand over time. Email is just the obvious way that we support right now. Is there some other specific tool you would like to see Bro integrated with?
>> Using samples makes sense, as does uids, samples involve content and sound larger than a simple int32?, but limiting those is fine as well, just as you would the UIDs. How do you plan to implement the sampling ? By time or by unique requests ? Can an attack tool run a number of SQL injection attempts and end the last 5 with something benign ? I'd rather analyze the specifics outside of BroNSM before going back and tweaking BroNSM.
> If you run on a cluster it would become very hard for an attacker to end up sending just 5 at the end that would be forwarded to the analyst. Samples are collected on each worker and then interleaved and size limited again when the measurement results are merged at the end. I'm sure there are ways an attacker could mess with analysts still, but it's not as obvious as just sending a few benign requests at some specific period.
> Regardless, this is just Bro scripts that are tracking the content and they can typically be modified fairly easily.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> Bro mailing list
> bro at bro-ids.org
More information about the Bro