[Bro] Newbie at bro, some questions
Yagyesh Srivastava
ysrivas at ncsu.edu
Thu Sep 29 06:32:46 PDT 2016
Thanks for the help.
So if my understanding is correct, running the traces on bro is as good as
sending the same traffic which is present in the pcap from another system
on to bro?
On Sep 29, 2016 8:52 AM, "Seth Hall" <seth at icir.org> wrote:
>
> > On Sep 26, 2016, at 6:08 PM, Yagyesh Srivastava <ysrivas at ncsu.edu>
> wrote:
> >
> > Could anyone please let me know, what if we want to test some attack
> traffic which is not mentioned in the traces.
> > How do we do that?
> > Do we have some more traces present which don't come to bro directory by
> default?
> > Because I feel SQL Injection and HTTP brute force are common attack
> traffic and should ideally be present in the traces.
>
> Unfortunately, getting representative test traffic is frequently very
> difficult. For the SQL injection script specifically it would be nearly
> impossible to have a trace that has all of the potential variants of
> attacks so I resorted to testing the regular expression more directly. I
> believe that regex needs to be updated some too because I know there are a
> lot of false positives that the internet is causing on it these days.
>
> If you want to see the SQL injection regex test suite, you can see it here:
> https://github.com/bro/bro/blob/f5ce4785ea96b56643c092331a1630
> 8f071c8092/testing/btest/scripts/policy/protocols/http/
> test-sql-injection-regex.bro
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160929/1eb56e10/attachment.html
More information about the Bro
mailing list