[Bro] False positive
Angelita de Cássia Corrêa
angelita at uol.com.br
Mon Jul 18 17:15:10 PDT 2005
I see in documentation that bro has some scripts in /usr/local/bro/bin like
nf and hf, and they turn the logs human readable. How can I use this? Do I
start it in underground form, after or before bro.rc?
I think it can help me to analyse the logs. Do you agree ?
Thanks
Angelita
----- Original Message -----
From: "Jason Lee" <jrlee at lbl.gov>
To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
Sent: Monday, July 18, 2005 7:43 PM
Subject: Re: [Bro] False positive
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I would suggest taking a 'snapshot' of known traffic
(that contains 'worthy events' (attacks) and running
that through bro.
If your snapshot is small enough, you should be able
to trace trough it to check if you are getting any
'false positives'
Then perhaps running the same snapshot
through several other ids's and comparing the output.
This should let you know if bro is missing any
events.
Its a very time consuming process.
Cheers,
jason
Angelita de Cássia Corrêa wrote:
> Sirs,
>
> What is the best form to analyse the BRO received packets?
> I need to calculate how many false positives bro detected in a
> determinated
> period.
>
> I didn't have success in reports, I continue receiving empty reports, then
> I
> need to analyse the logs or using other way to detect what event is a
> false
> positive and why is not.
>
> Please, can you help me?
>
> Thanks
> Angelita
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC3DB637vOcEqHLkARAiXsAKCCtWNTszG6GWdgT0zLDu3AmsxHBgCgvPPo
m+EYLlrnPwtUaIL48V+seNc=
=2Kf0
-----END PGP SIGNATURE-----
More information about the Bro
mailing list