[Bro] How can I counter attacks to GMAIL accounts coming from known threats?
Javier Richard Quinto Ancieta
richardqa at gmail.com
Sat Jul 11 20:53:34 PDT 2015
Hi everyone,
I am working with Bro and CIF Server through the Intel framework.
All is ok when I test with Infrastructure/scan for SSH protocol. But I have
problems when I want to filter attacks of scanning against Gmail users.
I assumed that a filter for SMTP is:
11.1.1.21 Intel::Email CIF - need-to-know smtp
http://www.openbl.org/lists/base_all_smtp-only.txt (public) -
medium 85
* 11.1.1.21 (known threat)
I copy this filter in a file (e.g., smtp.intel) and I put at ./local.bro
I reinstalled bro:
broctl stop
broctl check
broctl install
broctl start
Bro is running with the new filter shown above.
Finally, I tried to access to a GMAIL account from the IP 11.1.1.21
(malicious IP) and I didnt receive some response (alert) from Bro IDS.
Thus, I wonder How Can I filter malicious users that launches attacks to
Gmail account?. How Do I have to work to counter this attack?
Thank you,
Javier
--
Javier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150712/1cbe983b/attachment.html
More information about the Bro
mailing list