One Paragraph of project description goes here
These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.
I hereby claim:
To claim this, I am signing this object:
### Keybase proof | |
I hereby claim: | |
* I am liamrandall on github. | |
* I am liamrandall (https://keybase.io/liamrandall) on keybase. | |
* I have a public key ASDOOp_WKcK6A0ME0cGNmAhbJUg1f_7A9G0z5Rzne_fvcgo | |
To claim this, I am signing this object: |
wpad:tmp2 liamrandall$ bro -r /Users/liamrandall/TrafficSamples/xmas2011.pcap local "Site::local_nets += {10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12}" | |
wpad:tmp2 liamrandall$ ls *.log | |
conn.log ftp.log known_hosts.log loaded_scripts.log packet_filter.log signatures.log software.log | |
files.log http.log known_services.log notice.log pe.log smtp.log | |
wpad:tmp2 liamrandall$ bro -v | |
bro version 2.4-beta | |
wpad:tmp2 liamrandall$ less known_ | |
known_: No such file or directory | |
wpad:tmp2 liamrandall$ cat known_hosts.log | |
#separator \x09 |
0.000000 bro_init | |
0.000000 filter_change_tracking | |
1406693027.271405 ChecksumOffloading::check | |
1406693027.271405 filter_change_tracking | |
1406693027.271405 new_connection | |
[0] c: connection = [id=[orig_h=2600:100c:b00b:608b:a54c:8e84:2fe0:b532, orig_p=65378/tcp, resp_h=2607:f8b0:4000:805::1015, resp_p=443/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=189105], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0], start_time=1406693027.271405, duration=0.0, service={^J^J}, addl=, hot=0, history=, uid=C5abPgn1C03Sbffqi, tunnel=<uninitialized>, dpd=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, radius=<uninitialized>, snmp=<uninitialized>, smtp=<uninitial |
#!/usr/bin/env python2 | |
## | |
## This script takes a line from the dpd.log generated with the | |
## policy/frameworks/dpd/packet-segment-logging.bro script, and | |
## outputs a PCAP to stdout | |
## | |
## Vlad Grigorescu | |
## vlad@broala.com | |
## |
curl -H 'Host: www.cyberciti.biz' -H 'Host: www.google.com' 75.126.153.206:80 |
##! DNS Detect Abnormal Number of Lookup Failures | |
##! watches for hosts recieving an abnormal number of NXDOMAIN DNS Lookup Failures | |
##! Improvements & derivatives | |
@load base/protocols/dns | |
@load base/frameworks/sumstats | |
@load base/utils/time |
First we are going to do an extremely simple case of loading some data and matching it. First we will create an intelligence file in Bro’s intelligence format. Create a file named “intel1.dat” with the following content. Keep in mind that all field separation is with literal tabs! Double check that you don’t have spaces as separators. | |
``` | |
#fields<TAB>indicator<TAB>indicator_type<TAB>meta.source | |
fetchback.com<TAB>Intel::DOMAIN<TAB>my_special_source | |
``` | |
The next step will obviously be to load this data into Bro which is done as a configuration option. Put the following script into the same directory as your “intel1.dat” file and call it “intel-1.bro”. | |
```bro |