[Bro] Question from a beginner
John Ngo
ngojp82 at gmail.com
Mon Apr 2 20:06:01 PDT 2012
Hi all,
I've used BRO for over a year now (ver 1.5 and older). However, I'm not an
advanced user. Most of my time with BRO are to access dns and http logs for
analysis, and nothing fancy like writing scripts or setting up a BRO box
(All of our BRO boxes were setup by someone else). Today, I decided to do
something new and installed a brand new BRO 2.0 box. And let me tell
you....it is day and night different from ver 1.5. Anyway, after
installation, I started it up....and have no ideas where to go next... :(
Here is what I'm trying to do with this setup for now: Have it detect and
send email alerts on any downloads for executable/suspicious files. I
remember one of our old boxes uses a script called
"http-ext-identified-files.bro" for this purpose (i believe was written by
Mr. Seth Hall). In the new BRO 2.0, I've looked around the
/base/protocols/http folder and found something similar. How to I get this
to work and have it email to a specified email address when a host performs
download for these files? How to I get BRO to email me whenever something
triggered?
Thanks much for your time,
JPN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120402/cec78c58/attachment.html
More information about the Bro
mailing list