I am working with Bro and CIF Server through the Intel framework.
All is ok when I test with Infrastructure/scan for SSH protocol. But I have problems when I want to filter attacks of scanning against Gmail users.
I assumed that a filter for SMTP is:
184.108.40.206 Intel::Email CIF - need-to-know smtp http://www.openbl.org/lists/base_all_smtp-only.txt (public) - medium 85
- 220.127.116.11 (known threat)
I copy this filter in a file (e.g., smtp.intel) and I put at ./local.bro
I reinstalled bro:
Bro is running with the new filter shown above.
Finally, I tried to access to a GMAIL account from the IP 18.104.22.168 (malicious IP) and I didnt receive some response (alert) from Bro IDS. Thus, I wonder How Can I filter malicious users that launches attacks to Gmail account?. How Do I have to work to counter this attack?