[Bro] Alarms in log vs alarms in report
Brian Tierney
bltierney at lbl.gov
Fri Mar 24 07:10:46 PST 2006
The "likely successful, likely unsuccessful, etc" categories are
generated
by the report generation script, based on whether or not there
are subsequent successful connections to the same host. So there
is no easy way to do this in the logs.
On Mar 21, 2006, at 9:43 PM, François Gagnon wrote:
> Hi,
>
> I have noticed that Bro can provide the user with a fine grained
> classification
> of alarms in the reports (likely unsuccessful, likely
> successful, ...).
> However, in the log, Bro provides me with a less specific
> classification (alarm
> vs no alarm) with no indication of the potential success (or
> failure) of the
> attack. I think that the events in the log correspond to likely
> successful
> attacks only (correct me if I am wrong).
>
> I am wondering if there is any way to get Bro to output all events
> in the log
> WITH their classification (likely successful, likely
> unsuccessful, ...) or if
> this feature is reserved specifically for reports ?
>
> Thank you very much!
>
> ---
> François Gagnon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
------------------------------------------------------------------------
-------------------
Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL)
1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720
tel: 510-486-7381 fax: 510-495-2998 efax: 425-642-4558
bltierney at lbl.gov http://dsd.lbl.gov/~tierney
------------------------------------------------------------------------
------------------
More information about the Bro
mailing list