[Bro] My first Bro Scripts

[ِABDUL ALEANAZI]

great! Thank you

my goal is to monitor the behaviour of the network for outbound connection 

Sent from my iPhone

> On May 27, 2016, at 6:13 AM, Josh Guild <josh.guild at morphick.com> wrote:
> 
> Hi Abdul,
> 
> You could use it to verify outbound connections if you wanted. 
> 
> Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets set with the IPs you like to verify.
> 
> What's your overall goal with monitoring outbound connections? There may be a more elegant way of achieving it.
> 
> Thanks!
> 
>> On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com> wrote:
>> what about outgoing connections? does it check for that? 
>> 
>> Sent from my iPhone
>> 
>>> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
>>> 
>>> Hi everyone,
>>> 
>>> I wrote a few Bro scripts to cut my teeth on the language if you all would like to check them out:
>>> 
>>> https://github.com/joshuaguild/bro_scripts
>>> 
>>> Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
>>> 
>>> RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
>>> 
>>> Comments/criticism are welcome! (I'm a network guy, not a programmer so...)
>>> 
>>> -- 
>>> Josh Guild
>>> Network Intelligence Analyst
>>>  
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> 
> -- 
> Josh Guild
> Network Intelligence Analyst
>  
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/d85f2466/attachment.html