[Bro] Basic Alerts/Email questions
hacecky at jlab.org
Wed Feb 10 07:33:35 PST 2016
Thanks for the reply.
>> Aside from that I have 1 SQL injection alert from Bro.
>> Meanwhile I have 100s of SQLi alerts registered in snort.
- Found the problem here.
from detect-sqli.bro const sqli_requests_threshold: double = 50.0 &redef;
50 is just too high for my environment as the attacks get shut down before they reach that threshold. I redefined it to a lower value.
I'll skip the rest of the previous email and focus on the real message here.
>You seem to be approaching Bro from the perspective that it's a different version of Snort. Please try to let go of thinking about network monitoring and intrusion detection with the mindset of Snort where one >signature generates one notice for a sequence of bytes. Spend a long time digging through the logs that it's generating, it's likely that you'll get a lot of pleasant surprises and you will learn a lot about >your network that you didn't already know.
You are 100% correct. I could list a number of different articles I've read recently, some of them by you in fact, that convey the same sentiments.
I'm already a believer and will continue to use Bro, but for management who will never directly interact with it, I need Bro to be meaningful to them. Whether that's Snort-like alerts, metrics, heuristic data, etc. I just went with alerts because it seemed like the easiest to get going straight away.
I've been combing through github.com/trending/bro for some scripts that I can add. I've done as many training exercises as I can find, including the ones offered on bro.org as well as some from other sites, including ones that deal with logging like you mention https://www.bro.org/bro-workshop-2011/solutions/logs/
So that's where I am. I will certainly continue working with the logs. In addition to that if you or anyone else have ideas on where I should be focusing my time for a new Bro install please let me know.
More information about the Bro