How can I counter attacks to GMAIL accounts coming from known threats?

Hi everyone,

I am working with Bro and CIF Server through the Intel framework.

All is ok when I test with Infrastructure/scan for SSH protocol. But I have problems when I want to filter attacks of scanning against Gmail users.

I assumed that a filter for SMTP is: Intel::Email CIF - need-to-know smtp (public) - medium 85

  • (known threat)

I copy this filter in a file (e.g., and I put at ./local.bro

I reinstalled bro:

broctl stop
broctl check
broctl install
broctl start

Bro is running with the new filter shown above.

Finally, I tried to access to a GMAIL account from the IP (malicious IP) and I didnt receive some response (alert) from Bro IDS. Thus, I wonder How Can I filter malicious users that launches attacks to Gmail account?. How Do I have to work to counter this attack?

Thank you,

I don’t understand what you’re trying to do. The SSH scan is for authentication brute-forcing. Is that what you’re trying to detect for GMail as well? Over what protocol(s)?

If your intel type is Intel::EMAIL, then it would expect an e-mail address, and not an IP address.

I would recommend reviewing the documentation on the Intel framework: