useful *.bro files repository?
Vern Paxson
vern at icir.org
Sat Feb 22 11:55:34 PST 2003
> I was looking for ANY feedback on
> what others were doing with bro and received NOTHING. So I assume people
> are not really using it for any detection, but just as an educational tool
> (which is fine!).
Well, LBL and UCB use it 24x7 for detection, quite effectively. I know
some other sites are running it seriously, too.
> I continue to play with various polciies. Some combinations crash bro,
> some produce config parsing errors, some cause it to die a slow death,
> etc.
Rather than just stating these as generalities, please send along specifics
so they can be investigated/fixed. (Feel free to do this privately if
you want.)
> Here is what I use now:
Yep, that's what a number of our boxes use, except replace:
> @load http
with @load http-reply in order to pick up HTTP requests & replies.
> It works, doesn't detect much, some fun FTP attacks and weird RST packets
Do you know if things are indeed being missed?
Vern
More information about the Bro
mailing list