[Bro] Detecting remote powershell
James Lay
jlay at slave-tothe-box.net
Fri Mar 16 10:46:12 PDT 2018
And disregard :D Totally seeing this:
2018-02-16T11:19:09-0700 CUve5yhDRpb6vE7u3 x.x.x.x
58754 x.x.x.x 5985 tcp http 109.998204 407 616
SF T T 0 ShADadFf 7 699 4
788 (empty) - -mac mac
2018-02-16T11:19:09-0700 FMF4K53EV8nQTRfKuh x.x.x.x
x.x.x.x CUve5yhDRpb6vE7u3 HTTP 0 SHA1,MD5
text/plain - 0.000000 T T 198 198
0 0 F - d34f7af5e7fd60da9b7eee0fa1f7a569
87c8ce87b9efa3f2e02f9327adc38e0fe25fcc49 - - -
-
2018-02-16T11:19:09-0700 FuSlHJ2gGKtnYoE1H x.x.x.x
x.x.x.x CUve5yhDRpb6vE7u3 HTTP 0 SHA1,MD5
text/plain - 0.000000 T F 460 460
0 0 F - 63dbdde9a283f4ff750c39ebb018a2a7
666e7574be2dddabf9fae349109198d2481bc3ac - - -
-
2018-02-16T11:19:09-0700 CUve5yhDRpb6vE7u3 x.x.x.x
58754 x.x.x.x 5985 1 POST server /wsman -
1.1 Microsoft WinRM Client 198 460 200 (empty) -
- (empty) - -- FMF4K53EV8nQTRfKuh - text/plain
FuSlHJ2gGKtnYoE1H - text/plain
YAY
James
On 2018-03-16 10:52, James Lay wrote:
> Ah...ok well there it is...I'll get a bug report going as I see the
> connection in conn.log, but nothing in http.log...thanks Seth!
>
> James
>
> On 2018-03-15 09:41, Seth Hall wrote:
>> On 9 Mar 2018, at 15:54, James Lay wrote:
>>
>>> So any chance we can get 5985 added to the list of "http" ports to
>>> parse, thank you.
>>
>> No need. Bro should automatically detect HTTP and add the analyzer.
>> If it isn't working correctly then I think we can view that as a bug.
>>
>> .Seth
>>
>> --
>> Seth Hall * Corelight, Inc * www.corelight.com
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list