[Bro] My first Bro Scripts
josh.guild at morphick.com
Fri May 27 07:37:35 PDT 2016
Thanks! I'd love some help in adding the local_nets into the net_conn_nets
set if you have the time.
The RDP script hasn't been deployed just yet since I just wrote it but
we'll be pushing it out in our next build. I'll let you know if we get hits
on anything fun.
And I'll go through today and clean up my formatting, I know it's a mess
right now :)
On Fri, May 27, 2016 at 10:04 AM, Seth Hall <seth at icir.org> wrote:
> > On May 27, 2016, at 9:12 AM, Josh Guild <josh.guild at morphick.com> wrote:
> >> Network Visibility will allow you to confirm that the traffic that
> should be flowing to your sensor actually is. You can populate what subnets
> you should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
> I like that visibility script. It's a pretty neat idea. Let me know if
> you need any pointers for moving to local_nets.
> >> RDP Layout just checks the keyboard_layout field in the rdp.log against
> a whitelist (or you can make it a black list by changing the !in to in).
> Good for monitoring for lateral movement or connections to your DMZ.
> Cool idea too. Has it caught anything interesting?
> One small suggestion I could make is that you might want to go through
> quickly and clean up the formatting of your scripts. You have tabs and
> spaces intermixed and some parts just aren't indented to the correct depth,
> it would make them a bit easier to read. :)
> Thanks for putting those scripts out there. Cool ideas!
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
Network Intelligence Analyst
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro