[Bro] Basic Alerts/Email questions

[Eric Hacecky]

Hi Seth,

Thanks for the reply.


>> Aside from that I have 1 SQL injection alert from Bro.
>> Meanwhile I have 100s of SQLi alerts registered in snort.

- Found the problem here.

from detect-sqli.bro  const sqli_requests_threshold: double = 50.0 &redef;

50 is just too high for my environment as the attacks get shut down before they reach that threshold.  I redefined it to a lower value.

I'll skip the rest of the previous email and focus on the real message here.


>You seem to be approaching Bro from the perspective that it's a different version of Snort.  Please try to let go of thinking about network monitoring and intrusion detection with the mindset of Snort where one >signature generates one notice for a sequence of bytes.  Spend a long time digging through the logs that it's generating, it's likely that you'll get a lot of pleasant surprises and you will learn a lot about >your network that you didn't already know.

You are 100% correct.  I could list a number of different articles I've read recently, some of them by you in fact, that convey the same sentiments.

I'm already a believer and will continue to use Bro, but for management who will never directly interact with it, I need Bro to be meaningful to them.  Whether that's Snort-like alerts, metrics, heuristic data, etc.  I just went with alerts because it seemed like the easiest to get going straight away.

I've been combing through github.com/trending/bro for some scripts that I can add.  I've done as many training exercises as I can find, including the ones offered on bro.org as well as some from other sites, including ones that deal with logging like you mention https://www.bro.org/bro-workshop-2011/solutions/logs/

So that's where I am.  I will certainly continue working with the logs.  In addition to that if you or anyone else have ideas on where I should be focusing my time for a new Bro install please let me know.

Thanks,
Eric