[Bro] Alerting question on multi-homed bro box
Eric Wages
ewages at colsa.com
Thu Apr 26 06:59:02 PDT 2007
We have bro configured to span a firewall, so we are watching the
outside traffic, both inbound and outbound, as well as the internal
interface both in and out. We're doing this as a sanity check to
verify that, when attacks occur, if they penetrate and are successful.
One thing that I'm seeing is that, for example, we can successful
triggers like IRC nickname changes, occur with the server & outside
IP address, but we don't see an equivalent trigger on the internal
interface.
Consider the following alarm:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS
sa=A.B.C.D sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10
msg=A.B.C.D:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J tag=@29
where A.B.C.D is one of the outside IP's associated with either the
NAT or PAT range on our firewall. Should I also not see an equivalent
trigger like:
t=1177511147.420130 no=SensitiveSignature na=NOTICE_ALARM_ALWAYS
sa=192.168.x.x sp=1145/tcp da=E.F.G.H dp=6667/tcp file=s2b-542-10
msg=192.168.x.x:\ CHAT\ IRC\ nick\ change sub=NICK\ Homerpf|CHAMP^J
tag=@29
Where the source is the IP of the internal machine? If not, is there
any way we can configure bro to show those internal entries, since it
will help us find machines that are acting in a naughty manner.
Thanks,
-Eric
Eric Wages
More information about the Bro
mailing list