[Bro] Bro detection scripts

Johanna Amann johanna at icir.org
Mon Nov 28 14:54:37 PST 2016


Hi,

since the ftp bruteforcing / ssh password guessing scripts are policy
scripts, they are not loaded by default.

If you invoke bro via command-line, just add
protocols/ssh/detect-bruteforcing.bro and
protocols/ftp/detect-bruteforcing.bro to your command line. If you use
broctl, the ssh bruteforce detector should be loaded by default; you have
to add the ftp one to local.bro.

If the notices still do not show up afterwards, you might need to tweak
the thresholds of the different scripts.

I hope this helps,
 Johanna


On Mon, Nov 21, 2016 at 12:28:16AM +0200, abdulrahman musallam wrote:
> Hi,
> when i perform an TCP port scanning on my machine Bro raises a notice
> immediately  to notice.log and this notice is raised by scan.bro script
> that detect scanning, such scripts exist for FTP brute forcing  and SSH
> password guessing but when i perform any of these attacks (FTP brute
> forcing  and SSH password guessing)  it won't show anything in notice log
> that indicates any occurrence of them!! could someone please help me with
> this problem! HOW TO INVOKE BRO DETECTION SCRIPTS??
> 
> Thanks.

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list