[Bro] another kdd cup question

Oğuz Yarımtepe oguzyarimtepe at gmail.com
Sat Oct 5 00:38:54 PDT 2013

On Fri, Oct 4, 2013 at 10:57 PM, Jim Mellander <jmellander at lbl.gov> wrote:

> Hi:

> A number of your items (specifically # 10-22) appear to require inspection
> inside interactive sessions, which (unless the connection is cleartext), is
> not accessible to a network level monitor.  Lack of inspection into
> sessions, and the security benefits gained as a result are major benefits
> of modern session tools, of which the standard is ssh.
> If you have access to the systems you wish to monitor, you can install
> Instrumented SSHd, which will send a clear-text stream of the session to a
> bro monitor for inspection. See: https://code.google.com/p/auditing-sshd/
> Some of the information you want might also be logged via syslog, such as
> authentication events.
Very informative thank you. How about sum of bad checksum packets in a
connection and sum of urgent packets in a connections? Does Bro display the
packet based info as well or should i write some custom handlers for it?

Oğuz Yarımtepe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131005/80103a99/attachment.html 

More information about the Bro mailing list