Dear All,
I am new to bro ids , I installed successfully bro ids , and added a tap to network to it , and for example if I accessed a website on a machine I can see in http.log the website I accessed and if the wqebsite is ssl i can see in ssl.lot and x509.log the certificate info
my question is :
I want when I ping i see a notification for this ping (I tried and could not find)
can I use signatures like snort with bro that generate logs when receiving an attack and generate log with signature ID
Please provide reply with some details as I am new to bro.
Best Regards,
Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
Dear All,
I tried the following script icmptest.bro (attached) while running remote syslog, all the messages on syslog are regarding ipv6 and not ipv4 is there an explanation for that .
05-09-2016 14:56:23 Local7.Info 10.0.1.153 May 9 14:55:45 ubuntu-HVM-domU bro_notice: 1462798535.800222 - - - - - - - - - DetectICMPSHell:: ICMP connection threshold exceeded : fe80::1d26:ba55:fc1c:4a8 - - - - - bro Notice::ACTION_LOG 3600.000000 F - - - - -
Best Regards,
Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
icmptest.bro (4.37 KB)
I would look into what icmp messages you are seeing over ICMP that is causing this. This is probably just due to some aspect of how router solicitation or neighbor solicitation happens. I would also create a pcap containing a test case where you know this to trigger correctly so that you can have a repeatable test.
.Seth
Dear Seth,
Thanks for your kind reply , finally it is solved and I can see logs for the icmp echo request and echo response , I was not putting the notice action correctly under the echo request event .kindly find attached file after editing for any one who follows case .
Now I can print time in network time format in logs is there a way to transfer it to human readable format?
Best Regards,
Eng. Mostafa Abdallah Ammar,Msc.
Information Security and Auditing Supervisor
CCIE security #23971
Arab Academy For Science And Technology & maritime Transport
Computer Networks & Data Center (CNDC)
Mobile: 002 01001983674
icmptest.bro (4.6 KB)