[Bro] bro ids icmp and attack signatures

Mostafa Abdallah. Ammar mostafaammar at aast.edu
Tue May 10 12:41:16 PDT 2016 

Dear Seth,

Thanks for your kind reply , finally it is solved and I can see logs for the icmp echo request and echo response ,  I was not putting the notice action correctly under the echo request event .kindly find attached file after editing for any one who follows case .

Now I can print time in network time format in logs is there a way to transfer it to human readable format?

Best Regards,

Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674

________________________________________
From: Seth Hall [seth at icir.org]
Sent: Tuesday, May 10, 2016 6:09 PM
To: Mostafa Abdallah. Ammar
Cc: bro at bro.org
Subject: Re: [Bro] bro ids icmp and attack signatures

I would look into what icmp messages you are seeing over ICMP that is causing this.  This is probably just due to some aspect of how router solicitation or neighbor solicitation happens.  I would also create a pcap containing a test case where you know this to trigger correctly so that you can have a repeatable test.

  .Seth


> On May 9, 2016, at 9:20 AM, Mostafa Abdallah. Ammar <mostafaammar at aast.edu> wrote:
>
> Dear All,
>
> I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .
>
> 05-09-2016    14:56:23    Local7.Info    10.0.1.153    May  9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222   -   -   -   -   -   -   -   -   -   DetectICMPSHell::  ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8    -   -   -   -   -   bro   Notice::ACTION_LOG   3600.000000   F   -   -   -   -   -
> Best Regards,
>
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> From: Mostafa Abdallah. Ammar
> Sent: Thursday, May 05, 2016 4:42 PM
> To: bro at bro.org
> Subject: bro ids icmp and attack signatures
>
> Dear All,
>
> I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info
>
> my question is :
>
> I want when I ping i see a notification for this ping (I tried and could not find)
>
> can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID
>
> Please provide reply with some details as I am new to bro.
>
>
> Best Regards,
>
> Eng. Mostafa Abdallah Ammar,Msc.
> Information Security and Auditing Supervisor
> CCIE security #23971
> Arab Academy For Science And Technology & maritime Transport
> Computer Networks & Data Center (CNDC)
> Mobile: 002 01001983674
> <icmptest.bro>_______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: icmptest.bro
Type: application/octet-stream
Size: 4713 bytes
Desc: icmptest.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160510/3248c3ff/attachment.obj

More information about the Bro mailing list