Dear Mr. Paxson:
I am a undergraduate student in China.When I try to use bro I have met some puzzles and I wish I could get help from you.
First of all if bro detect intrusion activity,what will it do?Write this intrusion activity to log or print real-time notification in the screen.
Secondly I have run bro many times in the LAN of my lab.But it did not have any response.So I am not sure if it is working.By th way,where does the bro's intrusion log file locate in linux?
Thirdly would you please give me a list of which type of intrusion can bro detect and the corresponding intrusion signature of each intrusion activity bro can detect?
Thank you very much for your kind guide and help.
Yours Sincerely
Lee
First of all if bro detect intrusion activity,what will it do?Write this
intrusion activity to log or print real-time notification in the screen.
It is capable of doing both.
You can look look for *.log files in the same directory where bro
executable is there.
So I am not sure if it is working !
If bro starts correctly it will print
listening on interface <eth0|eth1> ....
Are you getting this message ?
Thirdly would you please give me a list of which type of intrusion can
bro detect and the corresponding intrusion signature of each intrusion
activity
bro can detect?
It can detect almost everything if you can write the signature /
analysis module into its policy scripts.
By default it detects common alerts like
- portscan
- land attack
- malicious fragments like (size < min_size)
etc
etc
You can get a lot of these information in the bro user manual
which comes along with the distribution...
You can look for it in the doc/ directory.
Hope that helps.
-ashley thomas