[Bro] Basic Alerts/Email questions

Seth Hall seth at icir.org
Wed Feb 10 08:16:30 PST 2016

> On Feb 10, 2016, at 10:33 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 50 is just too high for my environment as the attacks get shut down before they reach that threshold.  I redefined it to a lower value.

You have something in place already actively watching for attacks and shutting off attackers?

> I'm already a believer and will continue to use Bro, but for management who will never directly interact with it, I need Bro to be meaningful to them.  Whether that's Snort-like alerts, metrics, heuristic data, etc.  I just went with alerts because it seemed like the easiest to get going straight away.

This is certainly where things get complicated because what management should be watching for is an engaged and vigilant incident response team.  If that team has tools that cause them to be more engaged and more vigilant then that's great.  Unfortunately most of the graphs that management will want to see won't actually reflect the reality of the activity for the incident responders and incident finders/hunters which most of the industry has split out from incident response at this point (which I still think is unfortunate).

> I've been combing through github.com/trending/bro for some scripts that I can add.  I've done as many training exercises as I can find, including the ones offered on bro.org as well as some from other sites, including ones that deal with logging like you mention https://www.bro.org/bro-workshop-2011/solutions/logs/

A fun one to load in case you haven't noticed it yet is the one that catalogs touches to Microsoft's Dr. Watson service.  It will log hardware getting attached to system and process crashes among some other things.

Make sure you follow the directions and clone that repository recursively because there is another repository that it needs to pull in for hardware information.

> So that's where I am.  I will certainly continue working with the logs.  In addition to that if you or anyone else have ideas on where I should be focusing my time for a new Bro install please let me know.

Great!  Definitely let us know if you have questions.  I know there are a lot of logs and it can take a long time to fully grok them all.  


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list