BRO logs after http attacks

masoom_alam · October 28, 2015, 11:04pm

Hi Everyone,

We are trying to monitor the BRO logs after self generated HTTP attacks. In our lab we are trying to attack a web server through metasploit for HTTP SQL injection attacks. The goal is to monitor the attacks parameters/indicators via BRO logs. Are we on the right track. In particular what is the ALERT/ALARM mechanism for BRO when it detect an attack…is it indicated in the logs…or there are some places to look for it and not just logs. Till now, while surfing the BRO logs, we have not found any attack information…

Please guide.

Thanks

Azoff_Justin_S · October 28, 2015, 11:20pm

Bro calls ALERT/ALARM things notices. Logs for those events go to the notice.log, so that should have something about your sql injection attempts.

The protocols/http/detect-sqli handles that sort of thing. It will raise notices for scans and add entries to the 'tags' column of the http log for matching connections.

masoom_alam · October 29, 2015, 1:24am

Thanks for the response.

This means within http logs there is an indication of a possible attack through tags…which is detailed in notices.log…?

Topic		Replies	Views
changing log output Zeek	3	113	May 6, 2022
Bro alert Zeek	1	72	May 6, 2022
Bro programming intro Zeek	19	138	May 6, 2022
mod_security and bro Zeek	7	99	May 6, 2022
about Bro Zeek	2	122	May 6, 2022

BRO logs after http attacks

Related topics