[Bro] Intel Framework Issues
Patrick Kelley
pkelley at hyperionavenue.com
Mon Nov 23 13:14:40 PST 2015
I perform IR daily as a core function. I find immense value in seeing all
attempts, so long as the performance cost isn't prohibitive.
Even if the connection doesn't complete, it shows intent. There may not be
a great deal to look at, but it puts it on my radar and generally inspires
me to look at other traffic on that local host. It is possible that
something else of interest is happening, but the IOCs haven't made it into
a feed.
On Mon, Nov 23, 2015 at 12:48 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Nov 23, 2015, at 1:47 PM, Josh Liburdi <liburdi.joshua at gmail.com>
> wrote:
> >
> > I think the most common gotcha for IP addresses is that they will only
> appear in intel.log when they are a part of a successful TCP connection.
> Unsuccessful TCP connections and non-TCP connections will not appear in the
> log.
>
> Thanks for pointing that out Josh! I do want to point out the reasoning
> behind that as a default decision. My thinking was that spoofed packets
> could cause false hits and generally non-responded-to probes coming from
> intelligence hosts aren’t all that interesting. Is there general agreement
> that that’s the right approach or should single packets hit on intelligence
> items by default?
>
> I think there is a high bar to clear with adding that as default behavior,
> but I’d like to hear from people actively doing incident response on their
> thoughts.
>
> I should also point out that we can certainly include a script that
> matches on non-complete connections with Bro even if we don’t load it by
> default.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Patrick Kelley, CEH
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151123/aee5e95f/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151123/aee5e95f/attachment-0001.bin
More information about the Bro
mailing list