[Bro] bro ids icmp and attack signatures

Seth Hall seth at icir.org
Tue May 10 09:09:04 PDT 2016 

I would look into what icmp messages you are seeing over ICMP that is causing this.  This is probably just due to some aspect of how router solicitation or neighbor solicitation happens.  I would also create a pcap containing a test case where you know this to trigger correctly so that you can have a repeatable test.

  .Seth


> On May 9, 2016, at 9:20 AM, Mostafa Abdallah. Ammar <mostafaammar at aast.edu> wrote:
> 
> Dear All,
> 
> I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .
> 
> 05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
> Best Regards,
> 
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> From: Mostafa Abdallah. Ammar
> Sent: Thursday, May 05, 2016 4:42 PM
> To: bro at bro.org
> Subject: bro ids icmp and attack signatures
> 
> Dear All,
> 
> I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info
> 
> my question is :
> 
> I want when I ping i see a notification for this ping (I tried and could not find)
> 
> can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID
> 
> Please provide reply with some details as I am new to bro.
> 
> 
> Best Regards,
> 
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> <icmptest.bro>_______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list