This is my first time using Linux as well as using Bro so it has taken a while for me to get it installed and up and running, but finally I think I have it. I am running Bro 1.5.3 on Ubuntu and I have gotten BroCtl to start but I have a couple questions:
- Where are the rules written that Bro is supposed to alert on? I came from Snort so I know a bit about IDS but I don’t know how Bro is set up.
- Where are the logs produced? /spool/broctl.dt?
What I really want to do is to log the packet(s) from an SSL handshake that contain a certificate. I was sort of able to do this in Snort. Snort gave me the right packets but the wrong data. I got the TCP Segment Data rather than the reassembled TCP packet of the whole certificate itself. I was told Bro could do this out of the box so hopefully this will work here.
Is this possible? How should I go about doing this. I am a true beginner with Linux and I am having some trouble understanding what is going on.
Thanks in advance