[Bro] Newbie at bro, some questions

Seth Hall seth at icir.org
Thu Sep 29 05:52:55 PDT 2016

> On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava <ysrivas at ncsu.edu> wrote:
> Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces.
> How do we do that? 
> Do we have some more traces present which don't come to bro directory by default?
> Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces.

Unfortunately, getting representative test traffic is frequently very difficult.  For the SQL injection script specifically it would be nearly impossible to have a trace that has all of the potential variants of attacks so I resorted to testing the regular expression more directly.  I believe that regex needs to be updated some too because I know there are a lot of false positives that the internet is causing on it these days.

If you want to see the SQL injection regex test suite, you can see it here:


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list