[Bro] Redirect Chain Script
James Lay
jlay at slave-tothe-box.net
Fri Nov 7 17:34:48 PST 2014
On Fri, 2014-11-07 at 10:29 -0800, anthony kasza wrote:
> I'm glad you like it.
> You shouldn't plug this script directly into a production sensor
> without modifying it a bit. I wrote it with a very specific use case
> in mind: highlighting important connections in pcaps recorded in VMs
> that visit drive by sites.
>
> -AK
>
>
> On Nov 7, 2014 10:02 AM, "James Lay" <jlay at slave-tothe-box.net> wrote:
>
> On 2014-11-06 21:19, anthony kasza wrote:
> > If anyone is interested I have the beginnings of a
> redirect/driveby
> > analysis policy script here:
> >
> >
> <https://github.com/anthonykasza/scratch_pad/tree/master/redirections>.
> >
> > I've only tested it on pcaps but it seems to work nicely. I
> image the
> > output is a little difficult to interpret if you don't
> understand
> > what
> > the script is doing but I think it may be a good foundation
> for
> > something. Thoughts and feedback are welcome.
> >
> > -AK
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> Yea this is kind of cool....in a nutshell, this adds:
>
> dns_domain dns_uid http_uri http_domain http_uid
>
> to your conn.log...kind of handy for tracking...thanks for
> this
> Anthony...I'll try this out full on in dev and if good go into
> production. I'll let you know if I run into any snags or
> surprises.
>
Thanks Anthony...I'll be careful :)
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141107/9ebe5f95/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 925 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141107/9ebe5f95/attachment.bin
More information about the Bro
mailing list