[Bro] Redirect Chain Script
anthony kasza
anthony.kasza at gmail.com
Fri Nov 7 10:29:34 PST 2014
I'm glad you like it.
You shouldn't plug this script directly into a production sensor without
modifying it a bit. I wrote it with a very specific use case in mind:
highlighting important connections in pcaps recorded in VMs that visit
drive by sites.
-AK
On Nov 7, 2014 10:02 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
> On 2014-11-06 21:19, anthony kasza wrote:
> > If anyone is interested I have the beginnings of a redirect/driveby
> > analysis policy script here:
> >
> > <https://github.com/anthonykasza/scratch_pad/tree/master/redirections>.
> >
> > I've only tested it on pcaps but it seems to work nicely. I image the
> > output is a little difficult to interpret if you don't understand
> > what
> > the script is doing but I think it may be a good foundation for
> > something. Thoughts and feedback are welcome.
> >
> > -AK
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Yea this is kind of cool....in a nutshell, this adds:
>
> dns_domain dns_uid http_uri http_domain http_uid
>
> to your conn.log...kind of handy for tracking...thanks for this
> Anthony...I'll try this out full on in dev and if good go into
> production. I'll let you know if I run into any snags or surprises.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141107/884ee2db/attachment.html
More information about the Bro
mailing list