[Bro] Something is not clear to me concerning reporting
Ian Dickens
ian at south-border.com
Wed Oct 17 15:11:09 PDT 2012
On Oct 17, 2012, at 5:41 PM, Ian Dickens <ian at south-border.com> wrote:
> So, lets say that I have tcp ports 587 and 993 exposed on my firewall. I have bro running as a cluster on all interfaces. I see logs about well known SSL/HTTP/HTTPS ports but no anomalies in the hourly summaries. No alerts in email either (that I have seen). Now I do need to cruise through all the rotated compressed logs to check and see if something was recorded.
>
> The second thing I am wondering about is that there are no references to interfaces where the traffic was seen. For example, I have no IPv6 but I see unknown IPv6 traffic in the summary. Tools like:
>
> http://isc.sans.edu/tools/ipv6.html#form
>
> can be used to attempt to glean the MAC address to some degree. But I cannot quickly tell which interface the packet came on to help decide where the threat lies between internal/dmz/external networks. I can make some really good guesses but it might be nice to spell it it in the logs.
>
> Many thanks in advance, Sorry for rambling and if these are features in the works…
>
> Ian
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
Ok, I did a little looking into the 993 reporting. Turns out there is something that shows up in the known.certs for the day but nothing else. I think I need to be patient and do some remote testing from an external source to verify that alarms are indeed working. Also, I did some looking for 587 and got nothing. No connections, no state, no certs - nothing.
Ian
P.S. the IPv6 issue stands - still cannot quickly tell where the state if the TCP connection lies without SNORT for example….
More information about the Bro
mailing list