[Bro] Newbie at bro, some questions

clautos sebclaut at gmail.com
Wed Sep 28 11:17:31 PDT 2016 

Btw if you want to test your config add local after the bro -r tracefile.
You can also use tcpreplay and send the pcap to your listening interface.

Bro does not work as a classic IDS that will send an alert, bro, as far as
I know, will log the connexions and maybe send a notice
if there is a script telling it to do so but it's not a signature IDS like
a Snort.

2016-09-27 0:08 GMT+02:00 Yagyesh Srivastava <ysrivas at ncsu.edu>:

> That's great thanks.
> Could anyone please let me know, what if we want to test some attack
> traffic which is not mentioned in the traces.
> How do we do that?
> Do we have some more traces present which don't come to bro directory by
> default?
> Because I feel SQL Injection and HTTP brute force are common attack
> traffic and should ideally be present in the traces.
>
> Regards
>
> On Sep 26, 2016 4:17 PM, "Dane Wullen" <brot212 at googlemail.com> wrote:
>
>> Hi there,
>>
>> you can read in trace files via a command shell:
>>
>> bro -r <your_trace_file>
>>
>> Bro will then generate log files in the directory you run the command.
>>
>> To test a bro-script with a trace file you could run the command
>>
>> bro -r <your_trace_file> <your_bro_script>
>>
>> Cheers
>> Am 26.09.2016 um 22:01 schrieb Yagyesh Srivastava:
>>
>> Hi,
>>
>>
>> I am very new to bro, i dont quite fully understand how traces work.
>> What i need to do is generate some attack traffic to test the changes i
>> am trying to make. I see there are some traces in bro, how do these work?
>> As in how can i use those to test with bro?
>>
>> Also in the bro traces, i dont find the traffic for DOS attack and sql
>> injection attack, can we find the traces for these somewhere else?
>>
>> Thanks and regards
>> Yagyesh
>>
>>
>> _______________________________________________
>> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/aae784a9/attachment.html

More information about the Bro mailing list