[Bro] Bro Scripting Question

[Neslog]

Check out the bro workshop a few years ago.  They had you create a
learning policy that would baseline hosts and alarm on deviations.
Same could be done for the other policies I believe.

Seth will have some great insight though.

J

On 10/13/11, William Seemann <wseemann at gmail.com> wrote:
> Hello,
>      I'm new to the world of Bro but I'm attempting to complete a small
> project for a graduate level class at the University of Illinois. The
> concept of the project is to define a set of policy files for a few core
> host services  (SMTP, DNS, WEB SERVER). Each service specific policy
> file would ensure that only allowed hosts are running that service. The
> policy file would also ensure that each allowed host is only running a
> specified set of services. With that said, I started writing the policy
> files but had a few questions.
>
>  From what I can gather is seems like the new_connection event would be
> an obvious place to perform my checks since it is called for inbound and
> outbound connections. Does this sound like the correct approach? Also,
> is there a simple way to determine what service(s) a host is running
> (smtp, ssh, etc)? In other words, if a host is making an outbound
> connection is there any easy way to tie the traffic to a specific
> service? Right now I'm just logging connections but I'm wondering if
> there is an easier way to determine the service other then trying to tie
> port traffic to a potential service.
>
> I would appreciate any suggestions or advice you could send my way.
> Thanks in advance - William Seemann
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

-- 
Sent from my mobile device