[Bro] BRO logs after http attacks
Azoff, Justin S
jazoff at illinois.edu
Wed Oct 28 16:20:44 PDT 2015
> On Oct 28, 2015, at 7:04 PM, masoom alam <masoom.alam at gmail.com> wrote:
> Hi Everyone,
> We are trying to monitor the BRO logs after self generated HTTP attacks. In our lab we are trying to attack a web server through metasploit for HTTP SQL injection attacks. The goal is to monitor the attacks parameters/indicators via BRO logs. Are we on the right track. In particular what is the ALERT/ALARM mechanism for BRO when it detect an attack....is it indicated in the logs.....or there are some places to look for it and not just logs. Till now, while surfing the BRO logs, we have not found any attack information....
> Please guide.
Bro calls ALERT/ALARM things notices. Logs for those events go to the notice.log, so that should have something about your sql injection attempts.
The protocols/http/detect-sqli handles that sort of thing. It will raise notices for scans and add entries to the 'tags' column of the http log for matching connections.
- Justin Azoff
More information about the Bro