BRO logs after http attacks

Hi Everyone,

We are trying to monitor the BRO logs after self generated HTTP attacks. In our lab we are trying to attack a web server through metasploit for HTTP SQL injection attacks. The goal is to monitor the attacks parameters/indicators via BRO logs. Are we on the right track. In particular what is the ALERT/ALARM mechanism for BRO when it detect an attack…is it indicated in the logs…or there are some places to look for it and not just logs. Till now, while surfing the BRO logs, we have not found any attack information…

Please guide.

Thanks

Bro calls ALERT/ALARM things notices. Logs for those events go to the notice.log, so that should have something about your sql injection attempts.

The protocols/http/detect-sqli handles that sort of thing. It will raise notices for scans and add entries to the 'tags' column of the http log for matching connections.

Thanks for the response.

This means within http logs there is an indication of a possible attack through tags…which is detailed in notices.log…?