[Bro] My first Bro Scripts

Josh Guild josh.guild at morphick.com
Fri May 27 06:12:59 PDT 2016

Hi Abdul,

You could use it to verify outbound connections if you wanted.

Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
set with the IPs you like to verify.

What's your overall goal with monitoring outbound connections? There may be
a more elegant way of achieving it.


On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com>

> what about outgoing connections? does it check for that?
> Sent from my iPhone
> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
> Hi everyone,
> I wrote a few Bro scripts to cut my teeth on the language if you all would
> like to check them out:
> https://github.com/joshuaguild/bro_scripts
> Network Visibility will allow you to confirm that the traffic that should
> be flowing to your sensor actually is. You can populate what subnets you
> should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
> RDP Layout just checks the keyboard_layout field in the rdp.log against a
> whitelist (or you can make it a black list by changing the !in to in). Good
> for monitoring for lateral movement or connections to your DMZ.
> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>

Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/2592a5ae/attachment-0001.html 

More information about the Bro mailing list