[Bro] Signatures
David Rodrigues
david.network.security at gmail.com
Wed Feb 9 07:42:29 PST 2011
Thanks Seth. But I still have no information in log files.
My files are simple, but maybe something is wrong...
local.site.bro:
@load site
@load signatures
@load notice
redef signature_files += "/opt/bro/site/signatures.sig";
signatures.sig:
signature sig-1-1 {
event "my signature"
payload /.*my/
}
I have also tried to change local.site.bro to:
@load site
@load signatures
@load notice
redef signature_files += "/opt/bro/site/signatures.sig";
redef signature_actions += {
["sig-1-1"] = SIG_FILE,
};
./bro --debug-rules -i eth2 /opt/bro/site/local.site.bro
outputs:
1297265765.179661 SensitiveSignature 192.168.1.60: my signature
But I still have empty log files (notice.log and signatures.log).
On Wed, Feb 9, 2011 at 4:21 PM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 9, 2011, at 10:11 AM, David Rodrigues wrote:
>
>> You are right. It created a file named signatures.log in the current
>> working directory (not in the log directory). However, it's empty :(
>
> The log directory is used by BroControl. If you execute the bro binary on the command line, it won't have all of the nice BroControl log rotation and functionality for managing and running production Bro instances.
>
>> Do I need to do something else?
>
>
> Try loading the notice.bro script and see if you get the signature match output into the notice.log file. I'm not sure offhand why you aren't seeing the signature match in signatures.log.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list