I am very new to bro, i dont quite fully understand how traces work.
What i need to do is generate some attack traffic to test the changes i am trying to make. I see there are some traces in bro, how do these work?
As in how can i use those to test with bro?
Also in the bro traces, i dont find the traffic for DOS attack and sql injection attack, can we find the traces for these somewhere else?
Thanks and regards
you can read in trace files via a command shell:
bro -r <your_trace_file>
Bro will then generate log files in the directory you run the command.
To test a bro-script with a trace file you could run the command
bro -r <your_trace_file> <your_bro_script>
That’s great thanks.
Could anyone please let me know, what if we want to test some attack traffic which is not mentioned in the traces.
How do we do that?
Do we have some more traces present which don’t come to bro directory by default?
Because I feel SQL Injection and HTTP brute force are common attack traffic and should ideally be present in the traces.
Btw if you want to test your config add local after the bro -r tracefile.
You can also use tcpreplay and send the pcap to your listening interface.
Bro does not work as a classic IDS that will send an alert, bro, as far as I know, will log the connexions and maybe send a notice
if there is a script telling it to do so but it’s not a signature IDS like a Snort.
That's great thanks.
Could anyone please let me know, what if we want to test some attack
traffic which is not mentioned in the traces.
You generate your own traces using tcpdump.
How do we do that?
Use tcpdump to capture what ever traffic you want to try with bro. You might need to generate that kind of traffic. checkout tcpdump and wireshark.
Do we have some more traces present which don't come to bro directory by
YOu can Google for traces/pcaps.
Because I feel SQL Injection and HTTP brute force are common attack traffic
and should ideally be present in the traces.
Ideally! May be you can generate those and contribute back to the community.
Unfortunately, getting representative test traffic is frequently very difficult. For the SQL injection script specifically it would be nearly impossible to have a trace that has all of the potential variants of attacks so I resorted to testing the regular expression more directly. I believe that regex needs to be updated some too because I know there are a lot of false positives that the internet is causing on it these days.
If you want to see the SQL injection regex test suite, you can see it here:
Thanks for the help.
So if my understanding is correct, running the traces on bro is as good as sending the same traffic which is present in the pcap from another system on to bro?
Here is a nice testing set with pcap’s