useful *.bro files repository?
Anton Chuvakin, Ph.D.
anton at netForensics.com
Fri Feb 21 13:47:54 PST 2003
Vern and all,
>Well, it all depends on (1) your threat model, (2) how much load you can
>afford.
I know :-) That is exactly why I asked. I was looking for ANY feedback on
what others were doing with bro and received NOTHING. So I assume people
are not really using it for any detection, but just as an educational tool
(which is fine!).
I continue to play with various polciies. Some combinations crash bro,
some produce config parsing errors, some cause it to die a slow death,
etc.
Here is what I use now:
@load mt
@load http
@load backdoor
@load ssh
@load stepping
@load software
@load smtp
@load dns
const interfaces += "eth1";
It works, doesn't detect much, some fun FTP attacks and weird RST packets
got flagged. I want more :-) but some of the others I tried crash it.
Best,
--
Anton Chuvakin, Ph.D., GCIA
Senior Security Analyst
netForensics - http://www.netForensics.com
732-393-6071
More information about the Bro
mailing list