News
|
Posted
about 13 years
ago
Bro_IDS: “@chort0: @Bro_IDS Cool, thanks for the tips.” No problem! Maybe we'll drop some more hints like that again sometime.
|
|
Posted
about 13 years
ago
Bro_IDS: RT @srunnels: So, I'm speaking at the @Bro_IDS Exchange in August. Last night was the first nightmare about showing up woefully unprepared.
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 The SSH::Watched_Country_Login notice comes from <prefix>/share/bro/policy/protocols/ssh/geo-data.bro. Copy that and edit away!
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 We ship scripts that cover a wide range of scenarios but the real power comes from you writing your own.
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 SSH::Interesting_Hostname_Login notice. Watch for SSH logins with infrastructure hosts (ns, smtp, mail, pop3, etc).
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 SSH::Watched_Country_Login notice. Don't like certain countries (GeoIP) logging in? Watch them.
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 ssh.log has an SSH authentication heuristic. You may have logs for inbound logins, but do you have logs for outbound?
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 HTTP::SQL_Injection_Victim in notice.log. Threshold based SQL injection attack discovery, frequently discovers data stealing.
|
|
Posted
about 13 years
ago
Bro_IDS: @chort0 Watch for HTTP::Malware_Hash_Registry_Match in notice.log. Automated hash based malware discovery over HTTP.
|
|
Posted
about 13 years
ago
Bro_IDS: RT @srunnels: Added bug fixes & bro-event-query to allow keyword lookups for built-in events to my @bro_ids major mode for emacs. h ...
|