[Bro] Empty reports!!

Brian Tierney BLTierney at lbl.gov
Wed Jul 20 14:27:36 PDT 2005 

The reports are just a reformated version of the information in the  
Alarm file.
There is very little new info, it is just easier to read the report.

Do you have lots of entries in your alarm file?

To separate "attacks" from "false positives" usually requires  
detailed knowledge
of your traffic, and what traffic is legitimate and what is not.

The reports will not help with this.

Hope this helps.


On Jul 19, 2005, at 2:20 PM, Angelita de Cássia Corrêa wrote:

> Brian,
>
> Do you have some news about the report project ?  I didn't obtain  
> results
> with reports, it generates empty. :(
>
> And I need to analyse the alerts in detail. I need to identify if  
> alerts are
> scan ou what kind of attacks, or if they are false positives. Do you
> understand me?
>
> The logs are not enough to obtain these information.
>
> Thanks
> Angelita
>
>
> ----- Original Message -----
> From: "Brian Tierney" <BLTierney at lbl.gov>
> To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
> Cc: <Bro at bro-ids.org>; <bro at ICSI.Berkeley.EDU>
> Sent: Monday, June 27, 2005 6:21 PM
> Subject: Re: [Bro] Empty reports!!
>
>
>
> The report generation component of Bro is very much still in the "pre-
> alpha" stages, and the student
> who was working on this is now working on another project.
>
> I'll try to answer a couple of your questions:
>
> 1) scan reporting is off by default, the reports were too long with
> all the scans included
>       (Im not sure how to turn them on)
> 2) by default, the report scripts look for "yesterdays" data, so you
> have to collect 1 days data,
> then run the report
> 3) there should be nothing in the /usr/local/bro/archive directory
> unless you are running
> the cron script: bro_log_compress.sh
>
>
> You'll likely need to modify the report generation scripts by hand to
> get them to generate
> exactly what you want.
>
> Hope this helps.
>
>
> On Jun 21, 2005, at 11:29 AM, Angelita de Cássia Corrêa wrote:
>
>
>> Administrators,
>>
>> I have bro version bro-0.9a9  running.  I see files in  /usr/local/
>> bro/logs correctly, but the reports are empty.
>>
>> The other problem is the /usr/local/bro/archive direttory is empty
>> too.
>>
>> What can I do to generate the correctly reports?
>>
>> I tested with one and two interfaces (etho and eth1), I'm using Red
>> Hat Enterprise ES 3.
>>
>> I saw the traffice using tcpdump.
>>
>>
>> Thanks!
>> Angelita
>>
>>
>>
>>
>
> ---------------------------------------------------------------------- 
> --
> -------------------
>    Brian L. Tierney,   Lawrence Berkeley National Laboratory (LBNL)
>    1 Cyclotron Rd.  MS: 50B-2239,  Berkeley, CA  94720
>    tel: 510-486-7381    fax: 510-495-2998   efax:  240-332-4065
>    bltierney at lbl.gov   http://www-didc.lbl.gov/~tierney
> ---------------------------------------------------------------------- 
> --
> ------------------
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>

------------------------------------------------------------------------ 
-------------------
   Brian L. Tierney,   Lawrence Berkeley National Laboratory (LBNL)
   1 Cyclotron Rd.  MS: 50B-2239,  Berkeley, CA  94720
   tel: 510-486-7381    fax: 510-495-2998   efax:  240-332-4065
   bltierney at lbl.gov   http://dsd.lbl.gov/~tierney
------------------------------------------------------------------------ 
------------------

More information about the Bro mailing list