[Bro] Signatures

David Rodrigues david.network.security at gmail.com
Thu Feb 10 23:56:47 PST 2011


I'm using 'nc' to see how BroIDS behaves. For now, it's not a problem of speed.

 Maybe later... I want to use it in a 10Gbps network speed. Maybe
100Gps in 1/2 years.

On Thu, Feb 10, 2011 at 3:54 PM, Neslog <neslog at gmail.com> wrote:
> Not sure within poicy but you may want to try tcpreplay and set to
> generate the traffic at wire speed instead of disk I/O.
>
> On 2/10/11, David Rodrigues <david.network.security at gmail.com> wrote:
>> Thanks,
>>
>> using @load file-flush (with a dash) worked :)
>>
>> But now I'm running into another problem.
>>
>> The signature is only triggered once for the same host and for a given
>> period of time.
>>
>> Is there a way to report every single signature match?
>>
>> On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall <seth at icir.org> wrote:
>>>
>>> On Feb 9, 2011, at 1:14 PM, Neslog wrote:
>>>
>>>> How about the file_flush.bro?  When I'm testing I lod that one with a
>>>> short time inerval.
>>>
>>>
>>> Good catch.  I had a nagging feeling that I was missing something.
>>>
>>>  .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro-ids.org/
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>
> --
> Sent from my mobile device
>




More information about the Bro mailing list