[Bro] How can I counter attacks to GMAIL accounts coming from known threats?
Vlad Grigorescu
vlad at grigorescu.org
Sun Jul 12 02:09:07 PDT 2015
I don't understand what you're trying to do. The SSH scan is for
authentication brute-forcing. Is that what you're trying to detect for
GMail as well? Over what protocol(s)?
If your intel type is Intel::EMAIL, then it would expect an e-mail address,
and not an IP address.
I would recommend reviewing the documentation on the Intel framework:
https://www.bro.org/sphinx/frameworks/intel.html
--Vlad
On Sat, Jul 11, 2015 at 10:53 PM, Javier Richard Quinto Ancieta <
richardqa at gmail.com> wrote:
>
> Hi everyone,
>
> I am working with Bro and CIF Server through the Intel framework.
>
> All is ok when I test with Infrastructure/scan for SSH protocol. But I
> have problems when I want to filter attacks of scanning against Gmail
> users.
>
> I assumed that a filter for SMTP is:
>
> 11.1.1.21 Intel::Email CIF - need-to-know smtp
> http://www.openbl.org/lists/base_all_smtp-only.txt (public) -
> medium 85
>
> * 11.1.1.21 (known threat)
>
> I copy this filter in a file (e.g., smtp.intel) and I put at ./local.bro
>
> I reinstalled bro:
>
> broctl stop
> broctl check
> broctl install
> broctl start
>
> Bro is running with the new filter shown above.
>
> Finally, I tried to access to a GMAIL account from the IP 11.1.1.21
> (malicious IP) and I didnt receive some response (alert) from Bro IDS.
> Thus, I wonder How Can I filter malicious users that launches attacks to
> Gmail account?. How Do I have to work to counter this attack?
>
> Thank you,
> Javier
>
>
> --
> Javier
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150712/9f03bf54/attachment.html
More information about the Bro
mailing list