[Bro] How to generate the alerts directly?

Cliff zhangwei at comexgenesys.com
Mon Sep 6 21:16:48 PDT 2004


Hi all,

    I run the bro on linux plateform,
    #./bro mt -w /home/zhangwei/bro0907.dump
    generate the "event" as following:
   1094541140.067097 0.000000 64.53.211.63 192.168.10.138 other 6881 35621 tcp 0 ? SH X
1094541140.410734 12.237875 142.179.55.64 192.168.10.138 other 6884 35617 tcp 0 ? SH X
1094541140.758831 0.092686 192.168.10.119 210.19.14.6 pop-3 2880 110 tcp 0 0 SF X
1094541138.304385 5.093945 192.168.10.138 209.187.140.241 other 35627 6881 tcp 0 0 SF X
1094541142.283356 1.248243 192.168.10.107 202.104.32.234 pop-3 3221 110 tcp 61 6509 SF X
1094541159.391014 0.058311 192.168.10.100 211.152.52.47 other 1433 5000 tcp ? ? REJ X
1094541140.259379 4.830893 217.164.54.166 192.168.10.138 other 6881 35631 tcp 68 0 SF X
1094541142.332284 3.056888 192.168.10.107 202.108.255.203 pop-3 3222 110 tcp 54 3271 SF X
1094541159.929456 0.225219 192.168.10.100 211.152.52.47 other 1433 5000 tcp ? ? REJ X
1094541146.373011 0.140324 192.168.10.108 216.155.193.137 other 1098 5050 tcp ? ? RSTOS0 X
    
    then,
    # ./bro -r  /home/zhangwei/bro0907.dump
    generate the "alerts" as following:
    1094539834.607852 weird: spontaneous_FIN
1094539847.830742 weird: possible_split_routing
1094539847.856824 weird: data_before_established
1094539847.866336 weird: possible_split_routing
1094539847.866336 weird: data_before_established
1094539847.866483 weird: inappropriate_FIN
1094539848.113024 weird: possible_split_routing
1094539848.139317 weird: data_before_established
1094539848.148563 weird: possible_split_routing
1094539848.148563 weird: data_before_established

I have two questions:
First,are the terms which i use right,such as "event" ,"alerts"?
Second,whether can I generate those alerts directly?
        If can,which command should i use? Or how to modify the source code? 


Thanks,
Cliff
    
    




More information about the Bro mailing list