[Bro] bro ids icmp and attack signatures

Mostafa Abdallah. Ammar mostafaammar at aast.edu
Mon May 9 06:20:49 PDT 2016 

Dear All,

I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .

05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
________________________________
From: Mostafa Abdallah. Ammar
Sent: Thursday, May 05, 2016 4:42 PM
To: bro at bro.org
Subject: bro ids icmp and attack signatures

Dear All,

I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info

my question is :

I want when I ping i see a notification for this ping (I tried and could not find)

can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID

Please provide reply with some details as I am new to bro.


Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0f096dfd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmptest.bro
Type: application/octet-stream
Size: 4477 bytes
Desc: icmptest.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160509/0f096dfd/attachment-0001.obj

More information about the Bro mailing list