[Bro] another kdd cup question
oguzyarimtepe at gmail.com
Sat Oct 5 00:38:54 PDT 2013
On Fri, Oct 4, 2013 at 10:57 PM, Jim Mellander <jmellander at lbl.gov> wrote:
> A number of your items (specifically # 10-22) appear to require inspection
> inside interactive sessions, which (unless the connection is cleartext), is
> not accessible to a network level monitor. Lack of inspection into
> sessions, and the security benefits gained as a result are major benefits
> of modern session tools, of which the standard is ssh.
> If you have access to the systems you wish to monitor, you can install
> Instrumented SSHd, which will send a clear-text stream of the session to a
> bro monitor for inspection. See: https://code.google.com/p/auditing-sshd/
> Some of the information you want might also be logged via syslog, such as
> authentication events.
Very informative thank you. How about sum of bad checksum packets in a
connection and sum of urgent packets in a connections? Does Bro display the
packet based info as well or should i write some custom handlers for it?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro