[Bro] Intel Framework Issues
seth at icir.org
Mon Nov 23 12:48:17 PST 2015
> On Nov 23, 2015, at 1:47 PM, Josh Liburdi <liburdi.joshua at gmail.com> wrote:
> I think the most common gotcha for IP addresses is that they will only appear in intel.log when they are a part of a successful TCP connection. Unsuccessful TCP connections and non-TCP connections will not appear in the log.
Thanks for pointing that out Josh! I do want to point out the reasoning behind that as a default decision. My thinking was that spoofed packets could cause false hits and generally non-responded-to probes coming from intelligence hosts aren’t all that interesting. Is there general agreement that that’s the right approach or should single packets hit on intelligence items by default?
I think there is a high bar to clear with adding that as default behavior, but I’d like to hear from people actively doing incident response on their thoughts.
I should also point out that we can certainly include a script that matches on non-complete connections with Bro even if we don’t load it by default.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro