[Bro] Newbie at bro, some questions

Daniel Guerra daniel.guerra69 at gmail.com
Thu Sep 29 07:03:21 PDT 2016


Here is a nice testing set with pcap’s

https://www.netresec.com/?page=PcapFiles <https://www.netresec.com/?page=PcapFiles>

> On 29 Sep 2016, at 15:32, Yagyesh Srivastava <ysrivas at ncsu.edu> wrote:
> Thanks for the help.
> So if my understanding is correct, running the traces on bro is as good as sending the same traffic which is present in the pcap from another system on to bro?
> On Sep 29, 2016 8:52 AM, "Seth Hall" <seth at icir.org <mailto:seth at icir.org>> wrote:
> > On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava <ysrivas at ncsu.edu <mailto:ysrivas at ncsu.edu>> wrote:
> >
> > Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces.
> > How do we do that?
> > Do we have some more traces present which don't come to bro directory by default?
> > Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces.
> Unfortunately, getting representative test traffic is frequently very difficult.  For the SQL injection script specifically it would be nearly impossible to have a trace that has all of the potential variants of attacks so I resorted to testing the regular expression more directly.  I believe that regex needs to be updated some too because I know there are a lot of false positives that the internet is causing on it these days.
> If you want to see the SQL injection regex test suite, you can see it here:
>         https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a16308f071c8092/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro <https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a16308f071c8092/testing/btest/scripts/policy/protocols/http/test-sql-injection-regex.bro>
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/ <http://www.bro.org/>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/fdfe7b83/attachment-0001.html 

More information about the Bro mailing list