when i perform an TCP port scanning on my machine Bro raises a notice immediately to notice.log and this notice is raised by scan.bro script that detect scanning, such scripts exist for FTP brute forcing and SSH password guessing but when i perform any of these attacks (FTP brute forcing and SSH password guessing) it won’t show anything in notice log that indicates any occurrence of them!! could someone please help me with this problem! HOW TO INVOKE BRO DETECTION SCRIPTS??
since the ftp bruteforcing / ssh password guessing scripts are policy
scripts, they are not loaded by default.
If you invoke bro via command-line, just add
protocols/ftp/detect-bruteforcing.bro to your command line. If you use
broctl, the ssh bruteforce detector should be loaded by default; you have
to add the ftp one to local.bro.
If the notices still do not show up afterwards, you might need to tweak
the thresholds of the different scripts.
I hope this helps,