[Bro] Newbie at bro, some questions
sebclaut at gmail.com
Wed Sep 28 11:17:31 PDT 2016
Btw if you want to test your config add local after the bro -r tracefile.
You can also use tcpreplay and send the pcap to your listening interface.
Bro does not work as a classic IDS that will send an alert, bro, as far as
I know, will log the connexions and maybe send a notice
if there is a script telling it to do so but it's not a signature IDS like
2016-09-27 0:08 GMT+02:00 Yagyesh Srivastava <ysrivas at ncsu.edu>:
> That's great thanks.
> Could anyone please let me know, what if we want to test some attack
> traffic which is not mentioned in the traces.
> How do we do that?
> Do we have some more traces present which don't come to bro directory by
> Because I feel SQL Injection and HTTP brute force are common attack
> traffic and should ideally be present in the traces.
> On Sep 26, 2016 4:17 PM, "Dane Wullen" <brot212 at googlemail.com> wrote:
>> Hi there,
>> you can read in trace files via a command shell:
>> bro -r <your_trace_file>
>> Bro will then generate log files in the directory you run the command.
>> To test a bro-script with a trace file you could run the command
>> bro -r <your_trace_file> <your_bro_script>
>> Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava:
>> I am very new to bro, i dont quite fully understand how traces work.
>> What i need to do is generate some attack traffic to test the changes i
>> am trying to make. I see there are some traces in bro, how do these work?
>> As in how can i use those to test with bro?
>> Also in the bro traces, i dont find the traffic for DOS attack and sql
>> injection attack, can we find the traces for these somewhere else?
>> Thanks and regards
>> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro