How can I counter attacks to GMAIL accounts coming from known threats?

Javier_Richard_Quint · July 12, 2015, 3:53am

Hi everyone,

I am working with Bro and CIF Server through the Intel framework.

All is ok when I test with Infrastructure/scan for SSH protocol. But I have problems when I want to filter attacks of scanning against Gmail users.

I assumed that a filter for SMTP is:

11.1.1.21 Intel::Email CIF - need-to-know smtp http://www.openbl.org/lists/base_all_smtp-only.txt (public) - medium 85

11.1.1.21 (known threat)

I copy this filter in a file (e.g., smtp.intel) and I put at ./local.bro

I reinstalled bro:

broctl stop
broctl check
broctl install
broctl start

Bro is running with the new filter shown above.

Finally, I tried to access to a GMAIL account from the IP 11.1.1.21 (malicious IP) and I didnt receive some response (alert) from Bro IDS. Thus, I wonder How Can I filter malicious users that launches attacks to Gmail account?. How Do I have to work to counter this attack?

Thank you,
Javier

Vlad_Grigorescu1 · July 12, 2015, 9:09am

I don’t understand what you’re trying to do. The SSH scan is for authentication brute-forcing. Is that what you’re trying to detect for GMail as well? Over what protocol(s)?

If your intel type is Intel::EMAIL, then it would expect an e-mail address, and not an IP address.

I would recommend reviewing the documentation on the Intel framework: https://www.bro.org/sphinx/frameworks/intel.html

–Vlad

Topic		Replies	Views
Intel hits not being emailed Zeek	3	76	May 6, 2022
SMTP Analyzer Zeek	2	106	May 6, 2022
Bro Intel framework - filter out Zeek	7	147	May 6, 2022
Email Notice Suppression Zeek	2	65	May 6, 2022
SSH brute-force email notice Zeek	11	112	May 6, 2022

How can I counter attacks to GMAIL accounts coming from known threats?

Related topics