Bro detection scripts

abdulrahman_musallam · November 20, 2016, 10:28pm

Hi,
when i perform an TCP port scanning on my machine Bro raises a notice immediately to notice.log and this notice is raised by scan.bro script that detect scanning, such scripts exist for FTP brute forcing and SSH password guessing but when i perform any of these attacks (FTP brute forcing and SSH password guessing) it won’t show anything in notice log that indicates any occurrence of them!! could someone please help me with this problem! HOW TO INVOKE BRO DETECTION SCRIPTS??

Thanks.

johanna · November 28, 2016, 10:54pm

Hi,

since the ftp bruteforcing / ssh password guessing scripts are policy
scripts, they are not loaded by default.

If you invoke bro via command-line, just add
protocols/ssh/detect-bruteforcing.bro and
protocols/ftp/detect-bruteforcing.bro to your command line. If you use
broctl, the ssh bruteforce detector should be loaded by default; you have
to add the ftp one to local.bro.

If the notices still do not show up afterwards, you might need to tweak
the thresholds of the different scripts.

I hope this helps,
Johanna

Topic		Replies	Views
Bro detection scripts updates Zeek	2	106	May 6, 2022
Question about port scan detection and raising alarms Zeek	2	294	May 6, 2022
SSH brute-force email notice Zeek	11	105	May 6, 2022
bro not alert nessus attack Zeek	1	97	May 6, 2022
Bro: detectiong OS probes Zeek	2	82	May 6, 2022

Bro detection scripts

Related Topics