[Bro] new to bro, a few questions
Clark Gaylord
cgaylord at vt.edu
Sun Feb 5 12:21:41 PST 2017
Though if you're thinking the eventuality of more of bro's functionality is
possibly in your future, there's something to be said for that. You could
retain logs for a couple days or a week, say, and use grep, etc for
retaining your query of interest longer. That's probably easier than going
into the config and turning off the default reports, though as Troy points
out you can do that.
I've never known anyone to say "I wish I didn't have these data" (though
perhaps "I wish they didn't take up the space")...
--
Clark Gaylord
cgaylord at vt.edu
... autocorrect may have improved this message
brevity should not imply curtness ...
On Feb 5, 2017 15:11, "Troy Ward" <pyrodie18 at gmail.com> wrote:
Not sure that bro is the best choice for what you're looking for. Bro is
capable of doing what you're asking but this sounds like it may be better
to try out SNORT. Bro is much more usefully for getting a wide variety of
statistics for a wide variety of packets, not just a single DNS packet.
Troy
> Hi, I'm new to Bro and I'm wondering how I can do a couple of things:
>
> 1. I'd like to basically disable all of the various rules and detection
> stuff.
> 2. I'd like to create a simple rule that detects say DNS packets with
> cpsc.gov in the query or answer
>
> Figure it would be best to start simple and then build up rules (either my
> own, or others) as I need them. Sort of a K&R "Hello World" approach..
>
> Any specifics would be much appreciated.
>
>
> Thank you
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/2
> 0170204/ecb0ab9b/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 130, Issue 8
> ***********************************
>
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
On Feb 5, 2017 15:11, "Troy Ward" <pyrodie18 at gmail.com> wrote:
Not sure that bro is the best choice for what you're looking for. Bro is
capable of doing what you're asking but this sounds like it may be better
to try out SNORT. Bro is much more usefully for getting a wide variety of
statistics for a wide variety of packets, not just a single DNS packet.
Troy
> Hi, I'm new to Bro and I'm wondering how I can do a couple of things:
>
> 1. I'd like to basically disable all of the various rules and detection
> stuff.
> 2. I'd like to create a simple rule that detects say DNS packets with
> cpsc.gov in the query or answer
>
> Figure it would be best to start simple and then build up rules (either my
> own, or others) as I need them. Sort of a K&R "Hello World" approach..
>
> Any specifics would be much appreciated.
>
>
> Thank you
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/2
> 0170204/ecb0ab9b/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 130, Issue 8
> ***********************************
>
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170205/bae92b5a/attachment.html
More information about the Bro
mailing list