[Bro] First use of Bro

Seth Hall seth at remor.com
Wed Jul 14 05:06:35 PDT 2010


On Jul 13, 2010, at 10:39 PM, Ben Rosenberg wrote:

> I have started poking around some of the scripts and trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything is working well.

Cool!

> I have created a few patches to fix small problems I had or add features that I was looking for. 

Even cooler!

> - Patched main.cc to add the -N command line flag.
> - Removed duplicate login_non_failure_msgs from policy/login.bro.
> - Commented out example in policy/scan.bro. 
> - Edited policy/ssh.bro to print what port is being used for ssh servers.
> - Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports.
> - Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree

It would be best to submit these as patch tickets into the tracker at: http://tracker.icir.org/bro/

I'll coordinate with you off-list for getting a tracker account set up.  We removed the ability for people to create their own accounts due to abuse.

> I also started to convert the 6000+  Nmap service probe signatures into dpd signatures.

Unfortunately, without a corresponding analyzer the most you can do is log what protocol was possibly seen on the connection.  I've thought of doing the same thing before and it's pretty easy at least.  The only reason I stopped was that there weren't too many worthwhile protocols, but I was looking at the regex's from the l7-filters project.  Maybe the nmap signatures are better?

I have a set of scripts you may be interested in checking out at: 
   http://github.com/sethhall/bro_scripts

Let me know if you have any questions.

  .Seth



More information about the Bro mailing list