Questions tagged [bro]

Bro is the former name of Zeek. Zeek is a network analysis framework - implemented as a domain specific programming language to enable users to create powerful network security monitoring (NSM) capabilities while also providing a comprehensive platform for general network traffic analysis.

From the Zeek website:

Adaptable

Zeek's domain-specific scripting language enables site-specific monitoring policies.

Efficient

Zeek targets high-performance networks and is used operationally at a variety of large sites.

Flexible

Zeek is not restricted to any particular detection approach and does not rely on traditional signatures.

Forensics

Zeek comprehensively logs what it sees and provides a high-level archive of a network's activity.

In-depth Analysis

Zeek comes with analyzers for many protocols, enabling high-level semantic analysis at the application layer.

Highly Stateful

Zeek keeps extensive application-layer state about the network it monitors.

Open Interfaces

Zeek interfaces with other applications for real-time exchange of information.

Open Source

Zeek comes with a BSD license, allowing for free use with virtually no restrictions.

References:

69 questions

votes

1 answer

Bro IDS signature_match trigger

I am new to BRO and just started to test signature on BRO. I have one script, main.bro, and a signature file, protosigs.sig. The idea is to compare the signature and do something within the rewritten event function - signature_match. I tried to use…

signature bro zeek

asked Jun 27 '18 at 10:17

Xifeng

votes

1 answer

Bro: Disable reading and writing of .state/state.bst

I'm using Bro to crunch a whole lot of pcap files, so I want to run a bunch of instances in parallel, but I'm worried that they will trip over each other accessing the persistent state file (.state/state.bst). Is there any way to tell Bro that it…

bro zeek

asked Jun 20 '18 at 00:26

zwol

135,547
38
252
361

votes

1 answer

Sematext Logagent Elasticsearch - Indexes not being created?

I'm trying to send data to Elasticsearch using logagent but while there doesn't seem to be any error sending the data, the index isn't being created in ELK. I'm trying to find the index by creating a new index pattern via the Kibana GUI but the…

elasticsearch kibana bro zeek

asked May 01 '18 at 21:31

V. Zed

votes

1 answer

Errors when running /scripts/base/protocols/conn/

When trying to run the main.bro file in the conn directory using the following command: bro -i [interface] /location/to/bro/file/ I get the following errors: error in /home/ec2-user/bro/bro-2.5.1/scripts/base/protocols/conn/main.bro, line 14:…

logging bro zeek

asked Nov 15 '17 at 16:49

David

votes

1 answer

Changing bro logging Defaults

I want to enable logging of MAC adresses as well as hostnames using Bro. I have been using Bro for a while, but I am still a bit new to it. Version: Bro 2.5.1 From researching this a bit, I found that I can log this by enabling …

hostname mac-address bro

asked Oct 25 '17 at 09:40

Francois

votes

1 answer

Collect statistics on current traffic with Bro

I want to collect statistics on traffic every 10 seconds and the only tool that I found is connection_state_remove event, event connection_state_remove(c: connection) { SumStats::observe( "traffic", [$str="all"] [$num=c$orig$num_bytes_ip]…

bro traffic-measurement zeek

asked Oct 19 '17 at 08:58

nnovzver

votes

1 answer

BrO IDS unable to start after updating interface

I have build Bro IDS from source code. It's successfully installed user@ubuntu:~$ bro -v bro version 2.4.1 I am running bro in VM. My Ethernet interface in ens33 instead of eth0. After updating node.cfg to my custom interface i.e. ens33 , i am…

interface bro

asked Sep 21 '17 at 05:42

baymax Robo

votes

1 answer

Is there any P2P analyzer in bro ids

I have to analyze few pcap files. I have installed bro 2.5. It works perfectly. But It does not give any information (e.g. data transfer, peers) about p2p connections like torrent etc. Is their any builtin option? Please give some example…

wireshark libpcap traffic bro

asked Apr 18 '17 at 12:36

Hafiz Muhammad Shafiq

8,168
12
63
121

votes

1 answer

How to add Bit torrent analyzer to bro IDS

I have to analyze some pcap files using bro IDS. It have a lot of built in analyzer. I have to enable bit torrrent analyzer. Its details are give here. How I have enable it?

bro

asked Apr 10 '17 at 12:51

Hafiz Muhammad Shafiq

8,168
12
63
121

votes

1 answer

How to get statistics of torrent used in pcap file using bro IDS

I have to analyze pcap file using bro IDS. I have done a lot of work but one thing is missing that is how can I found the states of torrent used. Is there some plugin in bro IDS that I have to enable ?

pcap network-traffic bro

asked Apr 06 '17 at 06:08

Hafiz Muhammad Shafiq

8,168
12
63
121

votes

2 answers

while start the bro the error is coming "error occurred while trying to send mail: send-mail: SENDMAIL-NOTFOUND not found"

I've installed the Bro IDS but when I try to start the service an error is coming that : Error: error occurred while trying to send mail: send-mail: SENDMAIL-NOTFOUND not found starting ... starting bro ... bro terminated immediately after starting;…

ubuntu-16.04 bro

asked Jan 18 '17 at 11:52

ZeroNullByte

votes

1 answer

Bro is not extracting all files from Pcap file

I wrote this bro script to extract all files from a Pcap file. The problem is that it is not extracting all files. I have a http.cap that I analyzed with Wireshark, and I exported Http objects resulting in to 2 .html files. My bro script is…

file wireshark pcap extract bro

asked Nov 22 '16 at 15:36

aperezfals

1,341
1
10
26

votes

1 answer

Bro 2.4.1 generating E-mail notice for SSH Bruteforce Attack

I'm having trouble generating an email notice when someone is trying to do an ssh bruteforce attack on my server with Bro (v2.4.1). I have a Bro script like this which redefines the max login attemps to 5 per 24 hours: @load…

security ssh bro

asked Nov 11 '16 at 14:18

lange

votes

1 answer

why bro ids does not show youtube traffic by default

I have configured bro IDS on my centos system. I have all default configuration. I have started bro by simply broctl start and then I played some vides in youtube and open some other sites. I am amazed that in logs (like http.log) contains other…

networking youtube bro

asked May 19 '16 at 10:08

Hafiz Muhammad Shafiq

8,168
12
63
121

votes

1 answer

youtube plugin for traffic monitoring using bro IDS

I have configured bro latest version by its quickstart guide. I have to monitor youtube users statistics. Default plugins in base/* are loaded by default. By running bro with default setting does not provides youtube statitics i.e. connection , ip…

security youtube bro

asked May 18 '16 at 11:26

Hafiz Muhammad Shafiq

8,168
12
63
121

Prev 1 2 3

5 Next