[Bro] Empty reports!!
Brian Tierney
BLTierney at lbl.gov
Wed Jul 20 14:27:36 PDT 2005
The reports are just a reformated version of the information in the
Alarm file.
There is very little new info, it is just easier to read the report.
Do you have lots of entries in your alarm file?
To separate "attacks" from "false positives" usually requires
detailed knowledge
of your traffic, and what traffic is legitimate and what is not.
The reports will not help with this.
Hope this helps.
On Jul 19, 2005, at 2:20 PM, Angelita de Cássia Corrêa wrote:
> Brian,
>
> Do you have some news about the report project ? I didn't obtain
> results
> with reports, it generates empty. :(
>
> And I need to analyse the alerts in detail. I need to identify if
> alerts are
> scan ou what kind of attacks, or if they are false positives. Do you
> understand me?
>
> The logs are not enough to obtain these information.
>
> Thanks
> Angelita
>
>
> ----- Original Message -----
> From: "Brian Tierney" <BLTierney at lbl.gov>
> To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
> Cc: <Bro at bro-ids.org>; <bro at ICSI.Berkeley.EDU>
> Sent: Monday, June 27, 2005 6:21 PM
> Subject: Re: [Bro] Empty reports!!
>
>
>
> The report generation component of Bro is very much still in the "pre-
> alpha" stages, and the student
> who was working on this is now working on another project.
>
> I'll try to answer a couple of your questions:
>
> 1) scan reporting is off by default, the reports were too long with
> all the scans included
> (Im not sure how to turn them on)
> 2) by default, the report scripts look for "yesterdays" data, so you
> have to collect 1 days data,
> then run the report
> 3) there should be nothing in the /usr/local/bro/archive directory
> unless you are running
> the cron script: bro_log_compress.sh
>
>
> You'll likely need to modify the report generation scripts by hand to
> get them to generate
> exactly what you want.
>
> Hope this helps.
>
>
> On Jun 21, 2005, at 11:29 AM, Angelita de Cássia Corrêa wrote:
>
>
>> Administrators,
>>
>> I have bro version bro-0.9a9 running. I see files in /usr/local/
>> bro/logs correctly, but the reports are empty.
>>
>> The other problem is the /usr/local/bro/archive direttory is empty
>> too.
>>
>> What can I do to generate the correctly reports?
>>
>> I tested with one and two interfaces (etho and eth1), I'm using Red
>> Hat Enterprise ES 3.
>>
>> I saw the traffice using tcpdump.
>>
>>
>> Thanks!
>> Angelita
>>
>>
>>
>>
>
> ----------------------------------------------------------------------
> --
> -------------------
> Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL)
> 1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720
> tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065
> bltierney at lbl.gov http://www-didc.lbl.gov/~tierney
> ----------------------------------------------------------------------
> --
> ------------------
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
------------------------------------------------------------------------
-------------------
Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL)
1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720
tel: 510-486-7381 fax: 510-495-2998 efax: 240-332-4065
bltierney at lbl.gov http://dsd.lbl.gov/~tierney
------------------------------------------------------------------------
------------------
More information about the Bro
mailing list