IPS Functionality in BRO

Anandraj · August 1, 2006, 3:59pm

Hi,
I was just goin through the BRO USER Manual and Found that BRO does some
amount of Prevention .
I did try "IPS" by adding the following in hot.bro .

const terminate_successful_inbound_service: table[port] of string = {
[22/tcp] = "SSH",
} &redef;

also i did change the ssh.bro to the following .

redef restrict_filters += { ["ssh"] = "port 22" };

But in vain , i could NOT prevent the ssh traffic.
I was able to ssh to other machines and also other machines were able to
ssh to my machine.

Could somebody shed some light on this?
Any pointers about the BRO with IPS would be really helpful .

Thanks,
Anand

Vern · August 2, 2006, 6:00am

const terminate_successful_inbound_service: table[port] of string = {
[22/tcp] = "SSH",
} &redef;

also i did change the ssh.bro to the following .

redef restrict_filters += { ["ssh"] = "port 22" };

But in vain , i could NOT prevent the ssh traffic.

Do you get any output? Is the "rst" tool in your path and setuid root so
it can forge tear-down traffic?

Vern

Topic		Replies	Views
Flow blocking with iptables from Bro Zeek	5	178	May 6, 2022
Bro as an IPS Zeek	2	70	May 6, 2022
Exclude IPS Zeek	4	88	May 6, 2022
Bro as an IPS Zeek	2	86	May 6, 2022
Ip-based Zeek	5	82	May 6, 2022

IPS Functionality in BRO

Related Topics