[Bro] My first Bro Scripts
josh.guild at morphick.com
Fri May 27 06:12:59 PDT 2016
You could use it to verify outbound connections if you wanted.
Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
set with the IPs you like to verify.
What's your overall goal with monitoring outbound connections? There may be
a more elegant way of achieving it.
On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com>
> what about outgoing connections? does it check for that?
> Sent from my iPhone
> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
> Hi everyone,
> I wrote a few Bro scripts to cut my teeth on the language if you all would
> like to check them out:
> Network Visibility will allow you to confirm that the traffic that should
> be flowing to your sensor actually is. You can populate what subnets you
> should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
> RDP Layout just checks the keyboard_layout field in the rdp.log against a
> whitelist (or you can make it a black list by changing the !in to in). Good
> for monitoring for lateral movement or connections to your DMZ.
> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
> Bro mailing list
> bro at bro-ids.org
Network Intelligence Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro