Hi everyone,
I wrote a few Bro scripts to cut my teeth on the language if you all would like to check them out:
https://github.com/joshuaguild/bro_scripts
Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
Comments/criticism are welcome! (I’m a network guy, not a programmer so…)
what about outgoing connections? does it check for that?
Hi Abdul,
You could use it to verify outbound connections if you wanted.
Just change the c$id$orig_h to c$id$resp_h and populate the net_conn_nets set with the IPs you like to verify.
What’s your overall goal with monitoring outbound connections? There may be a more elegant way of achieving it.
Thanks!
Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet.
I like that visibility script. It's a pretty neat idea. Let me know if you need any pointers for moving to local_nets.
RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ.
Cool idea too. Has it caught anything interesting?
One small suggestion I could make is that you might want to go through quickly and clean up the formatting of your scripts. You have tabs and spaces intermixed and some parts just aren't indented to the correct depth, it would make them a bit easier to read. 
�
Thanks for putting those scripts out there. Cool ideas!
.Seth
Thanks! I’d love some help in adding the local_nets into the net_conn_nets set if you have the time.
The RDP script hasn’t been deployed just yet since I just wrote it but we’ll be pushing it out in our next build. I’ll let you know if we get hits on anything fun.
And I’ll go through today and clean up my formatting, I know it’s a mess right now 
No problem. My script may be a limited way to do this. If there are specific domains/IPs you’d like to watch for, then I’d recommend using the intel framework. This will log and notify.
https://www.bro.org/sphinx/frameworks/intel.html
Or you could use bro-cut on the id.resp_h field in your conn.log with some regex to remove private IPs (I think I have a one-liner for this somewhere)
Hope that helps!