[Bro] BRO logs after http attacks
masoom.alam at gmail.com
Wed Oct 28 18:24:23 PDT 2015
Thanks for the response.
This means within http logs there is an indication of a possible attack
through tags....which is detailed in notices.log......?
On Oct 29, 2015 4:20 AM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
> > On Oct 28, 2015, at 7:04 PM, masoom alam <masoom.alam at gmail.com> wrote:
> > Hi Everyone,
> > We are trying to monitor the BRO logs after self generated HTTP attacks.
> In our lab we are trying to attack a web server through metasploit for HTTP
> SQL injection attacks. The goal is to monitor the attacks
> parameters/indicators via BRO logs. Are we on the right track. In
> particular what is the ALERT/ALARM mechanism for BRO when it detect an
> attack....is it indicated in the logs.....or there are some places to look
> for it and not just logs. Till now, while surfing the BRO logs, we have not
> found any attack information....
> > Please guide.
> > Thanks
> Bro calls ALERT/ALARM things notices. Logs for those events go to the
> notice.log, so that should have something about your sql injection attempts.
> The protocols/http/detect-sqli handles that sort of thing. It will raise
> notices for scans and add entries to the 'tags' column of the http log for
> matching connections.
> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro