[Bro] Newbie at bro, some questions

Aashish Sharma asharma at lbl.gov
Wed Sep 28 11:51:30 PDT 2016


On Mon, Sep 26, 2016 at 06:08:36PM -0400, Yagyesh Srivastava wrote:
> That's great thanks.
> Could anyone please let me know, what if we want to test some attack
> traffic which is not mentioned in the traces.

You generate your own traces using tcpdump. 

> How do we do that?

Use tcpdump to capture what ever traffic you want to try with bro. You might need to generate that kind of traffic. checkout tcpdump and wireshark. 


> Do we have some more traces present which don't come to bro directory by
> default?

YOu can Google for traces/pcaps. 

> Because I feel SQL Injection and HTTP brute force are common attack traffic
> and should ideally be present in the traces.

Ideally! May be you can generate those and contribute back to the community. 

Thanks, 
Aashish 

> 
> Regards
> 
> On Sep 26, 2016 4:17 PM, "Dane Wullen" <brot212 at googlemail.com> wrote:
> 
> > Hi there,
> >
> > you can read in trace files via a command shell:
> >
> > bro -r <your_trace_file>
> >
> > Bro will then generate log files in the directory you run the command.
> >
> > To test a bro-script with a trace file you could run the command
> >
> > bro -r <your_trace_file> <your_bro_script>
> >
> > Cheers
> > Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava:
> >
> > Hi,
> >
> >
> > I am very new to bro, i dont quite fully understand how traces work.
> > What i need to do is generate some attack traffic to test the changes i am
> > trying to make. I see there are some traces in bro, how do these work?
> > As in how can i use those to test with bro?
> >
> > Also in the bro traces, i dont find the traffic for DOS attack and sql
> > injection attack, can we find the traces for these somewhere else?
> >
> > Thanks and regards
> > Yagyesh
> >
> >
> > _______________________________________________
> > Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list