I was looking for ANY feedback on
what others were doing with bro and received NOTHING. So I assume people
are not really using it for any detection, but just as an educational tool
(which is fine!).
Well, LBL and UCB use it 24x7 for detection, quite effectively. I know
some other sites are running it seriously, too.
I continue to play with various polciies. Some combinations crash bro,
some produce config parsing errors, some cause it to die a slow death,
etc.
Rather than just stating these as generalities, please send along specifics
so they can be investigated/fixed. (Feel free to do this privately if
you want.)
Here is what I use now:
Yep, that's what a number of our boxes use, except replace:
@load http
with @load http-reply in order to pick up HTTP requests & replies.
It works, doesn't detect much, some fun FTP attacks and weird RST packets
Do you know if things are indeed being missed?
Vern