[Bro] My first Bro Scripts
Josh Guild
josh.guild at morphick.com
Fri May 27 06:12:59 PDT 2016
Hi Abdul,
You could use it to verify outbound connections if you wanted.
Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
set with the IPs you like to verify.
What's your overall goal with monitoring outbound connections? There may be
a more elegant way of achieving it.
Thanks!
On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com>
wrote:
> what about outgoing connections? does it check for that?
>
> Sent from my iPhone
>
> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
>
> Hi everyone,
>
> I wrote a few Bro scripts to cut my teeth on the language if you all would
> like to check them out:
>
> https://github.com/joshuaguild/bro_scripts
>
> Network Visibility will allow you to confirm that the traffic that should
> be flowing to your sensor actually is. You can populate what subnets you
> should be seeing and it will dump a log to confirm if it sees a host in
> that subnet.
>
> RDP Layout just checks the keyboard_layout field in the rdp.log against a
> whitelist (or you can make it a black list by changing the !in to in). Good
> for monitoring for lateral movement or connections to your DMZ.
>
> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
>
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/2592a5ae/attachment-0001.html
More information about the Bro
mailing list