Hello List,
I am running bro since 0.9 version and I am very happy with it. You do
grate job.
Currently we need to move BRO to other box where it will monitor the
network on a mirror/monitor-port and not as now on a transparent bridge.
We configured a mirror/monitor port on our network equipment, we have an
gigabit interface without an IP-Address where all traffic is monitored.
BRO is monitoring two class-C (/24) networks and is running on
FreeBSD-7.1-Release compiled from .tar.gz and not using ports-management.
-- Our start policy
@load brolite
@load site
@load file-flush
@load ssh
redef log_rotate_interval = 15 min;
redef local_nets: set[subnet] = { 10.20.20.0/24, 10.20.21.0/24 };
redef interfaces = "em1";
Now what is happening:
- bro does see all external and internal connections which are logged in
conn.log
- bro does see and log some scan attempts
- bro does NOT log any SSH-Connections (client/server version) when
coming from external but does log some when internal
- it was tested with a policy like this:
event ssh_client_version(c: connection, version: string) {
print version;
}
- bro does NOT log any sensitive_URIs when coming from external but does
log it when such attempts are internal
- bro does NOT log any or just partial informations about
FTP/SMTP/HTTP-Requests
- in older versions like 1.1d in example username was logged for FTP
now it is just partial for some connections
- we do not see any packet drops and packets has been proceeded
My question is - it is normal behavior now or something is broken?
I would really like to see the traffic/logs on connections from external
to internal for FTP/SMTP/HTTP/SSH - any hints?
Thank you in advance,
thorkill
PS. Internal connections means on 10.20.20.0/24 and between those two
class-C networks.
--- loaded scripts
loading /usr/local/bro/share/bro//bro.init
loading /usr/local/bro/share/bro//const.bif.bro
loading /usr/local/bro/share/bro//strings.bif.bro
loading /usr/local/bro/share/bro//bro.bif.bro
loading /usr/local/bro/share/bro//event.bif.bro
loading /usr/local/bro/share/bro//common-rw.bif.bro
loading /usr/local/bro/share/bro//finger-rw.bif.bro
loading /usr/local/bro/share/bro//ftp-rw.bif.bro
loading /usr/local/bro/share/bro//ident-rw.bif.bro
loading /usr/local/bro/share/bro//smtp-rw.bif.bro
loading /usr/local/bro/share/bro//http-rw.bif.bro
loading /usr/local/bro/share/bro//dns-rw.bif.bro
loading /usr/local/bro/share/bro//pcap.bro
loading /usr/local/bro/share/bro//server-ports.bro
loading /usr/local/bro/share/bro//brolite.bro
loading /usr/local/bro/share/bro//site.bro
loading /usr/local/bro/share/bro//tcp.bro
loading /usr/local/bro/share/bro//conn.bro
loading /usr/local/bro/share/bro//notice.bro
loading /usr/local/bro/share/bro//drop.bro
loading /usr/local/bro/share/bro//notice-action-filters.bro
loading /usr/local/bro/share/bro//terminate-connection.bro
loading /usr/local/bro/share/bro//hot.bro
loading /usr/local/bro/share/bro//port-name.bro
loading /usr/local/bro/share/bro//netstats.bro
loading /usr/local/bro/share/bro//conn-id.bro
loading /usr/local/bro/share/bro//weird.bro
loading /usr/local/bro/share/bro//frag.bro
loading /usr/local/bro/share/bro//print-resources.bro
loading /usr/local/bro/share/bro//scan.bro
loading /usr/local/bro/share/bro//trw-impl.bro
loading /usr/local/bro/share/bro//trw.bro
loading /usr/local/bro/share/bro//http.bro
loading /usr/local/bro/share/bro//http-request.bro
loading /usr/local/bro/share/bro//http-reply.bro
loading /usr/local/bro/share/bro//http-entity.bro
loading /usr/local/bro/share/bro//software.bro
loading /usr/local/bro/share/bro//ftp.bro
loading /usr/local/bro/share/bro//hot-ids.bro
loading /usr/local/bro/share/bro//ftp-cmd-arg.bro
loading /usr/local/bro/share/bro//portmapper.bro
loading /usr/local/bro/share/bro//tftp.bro
loading /usr/local/bro/share/bro//udp-common.bro
loading /usr/local/bro/share/bro//login.bro
loading /usr/local/bro/share/bro//demux.bro
loading /usr/local/bro/share/bro//irc.bro
loading /usr/local/bro/share/bro//signatures.bro
loading /usr/local/bro/share/bro//blaster.bro
loading /usr/local/bro/share/bro//stepping.bro
loading /usr/local/bro/share/bro//alarm.bro
loading /usr/local/bro/share/bro//synflood.bro
loading /usr/local/bro/share/bro//smtp.bro
loading /usr/local/bro/share/bro//notice-policy.bro
loading /usr/local/bro/share/bro//inactivity.bro
loading /usr/local/bro/share/bro//stats.bro
loading /usr/local/bro/share/bro//rotate-logs.bro
loading /var/spool/bro//site/crns.bro
loading /usr/local/bro/share/bro//file-flush.bro
loading /usr/local/bro/share/bro//ssh.bro
pcap bufsize = 32768
listening on em1