[Bro] My first Bro Scripts
Josh Guild
josh.guild at morphick.com
Fri May 27 10:21:47 PDT 2016
No problem. My script may be a limited way to do this. If there are
specific domains/IPs you'd like to watch for, then I'd recommend using the
intel framework. This will log and notify.
https://www.bro.org/sphinx/frameworks/intel.html
Or you could use bro-cut on the id.resp_h field in your conn.log with some
regex to remove private IPs (I think I have a one-liner for this somewhere)
Hope that helps!
On Fri, May 27, 2016, 12:28 ِABDUL ALEANAZI <d7om.ph at hotmail.com> wrote:
> great! Thank you
>
> my goal is to monitor the behaviour of the network for outbound connection
>
> Sent from my iPhone
>
> On May 27, 2016, at 6:13 AM, Josh Guild <josh.guild at morphick.com> wrote:
>
> Hi Abdul,
>
> You could use it to verify outbound connections if you wanted.
>
> Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets
> set with the IPs you like to verify.
>
> What's your overall goal with monitoring outbound connections? There may
> be a more elegant way of achieving it.
>
> Thanks!
>
> On Thu, May 26, 2016 at 7:41 PM, ِABDUL ALEANAZI <d7om.ph at hotmail.com>
> wrote:
>
>> what about outgoing connections? does it check for that?
>>
>> Sent from my iPhone
>>
>> On May 26, 2016, at 10:42 AM, Josh Guild <josh.guild at morphick.com> wrote:
>>
>> Hi everyone,
>>
>> I wrote a few Bro scripts to cut my teeth on the language if you all
>> would like to check them out:
>>
>> https://github.com/joshuaguild/bro_scripts
>>
>> Network Visibility will allow you to confirm that the traffic that should
>> be flowing to your sensor actually is. You can populate what subnets you
>> should be seeing and it will dump a log to confirm if it sees a host in
>> that subnet.
>>
>> RDP Layout just checks the keyboard_layout field in the rdp.log against a
>> whitelist (or you can make it a black list by changing the !in to in). Good
>> for monitoring for lateral movement or connections to your DMZ.
>>
>> Comments/criticism are welcome! (I'm a network guy, not a programmer
>> so...)
>>
>> --
>> Josh Guild
>> Network Intelligence Analyst
>> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>
>
> --
> Josh Guild
> Network Intelligence Analyst
> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160527/3661789c/attachment-0001.html
More information about the Bro
mailing list