[Bro] My first Bro Scripts
josh.guild at morphick.com
Fri May 27 10:21:47 PDT 2016
No problem. My script may be a limited way to do this. If there are
specific domains/IPs you'd like to watch for, then I'd recommend using the
intel framework. This will log and notify.
Or you could use bro-cut on the id.resp_h field in your conn.log with some
regex to remove private IPs (I think I have a one-liner for this somewhere)
Hope that helps!
On Fri, May 27, 2016, 12:28 ِABDUL ALEANAZI <d7om.ph at hotmail.com> wrote:
> great! Thank you
> my goal is to monitor the behaviour of the network for outbound connection
> Sent from my iPhone
> On May 27, 2016, at 6:13 AM, Josh Guild <josh.guild at morphick.com> wrote:
> Hi Abdul,
> You could use it to verify outbound connections if you wanted.
> Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
> set with the IPs you like to verify.
> What's your overall goal with monitoring outbound connections? There may
> be a more elegant way of achieving it.
> On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com>
>> what about outgoing connections? does it check for that?
>> Sent from my iPhone
>> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
>> Hi everyone,
>> I wrote a few Bro scripts to cut my teeth on the language if you all
>> would like to check them out:
>> Network Visibility will allow you to confirm that the traffic that should
>> be flowing to your sensor actually is. You can populate what subnets you
>> should be seeing and it will dump a log to confirm if it sees a host in
>> that subnet.
>> RDP Layout just checks the keyboard_layout field in the rdp.log against a
>> whitelist (or you can make it a black list by changing the !in to in). Good
>> for monitoring for lateral movement or connections to your DMZ.
>> Comments/criticism are welcome! (I'm a network guy, not a programmer
>> Josh Guild
>> Network Intelligence Analyst
>> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>> Bro mailing list
>> bro at bro-ids.org
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro