[Bro] My first Bro Scripts
Seth Hall
seth at icir.org
Fri May 27 07:04:02 PDT 2016
> On May 27, 2016, at 9:12 AM, Josh Guild <josh.guild at morphick.com> wrote:
>>
>> Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
I like that visibility script. It's a pretty neat idea. Let me know if you need any pointers for moving to local_nets.
>> RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
Cool idea too. Has it caught anything interesting?
One small suggestion I could make is that you might want to go through quickly and clean up the formatting of your scripts. You have tabs and spaces intermixed and some parts just aren't indented to the correct depth, it would make them a bit easier to read. :)
�
Thanks for putting those scripts out there. Cool ideas!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list