Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 00:28:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Updates to Bro IDS documentation

Browse source
This commit is contained in:
Jeannette Dopheide 2014-01-30 13:13:26 -06:00
parent 1ee4734f5d
commit c7cacb56b8
1 changed files with 12 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

25
doc/broids/index.rst
View file

@ -16,18 +16,18 @@ In the following sections, we present a few examples of common uses of
Bro as an IDS. Bro as an IDS.
------------------------------------------------ ------------------------------------------------
Detecting an FTP Bruteforce attack and notifying Detecting an FTP Brute-force Attack and Notifying
------------------------------------------------ ------------------------------------------------
For the purpose of this exercise, we define FTP bruteforcing as too many For the purpose of this exercise, we define FTP brute-forcing as too many
rejected usernames and passwords occurring from a single address. We rejected usernames and passwords occurring from a single address. We
start by defining a threshold for the number of attempts and a start by defining a threshold for the number of attempts, a monitoring
monitoring interval in minutes as well as a new notice type. interval (in minutes), and a new notice type.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 9-25 :lines: 9-25
Now, using the ftp_reply event, we check for error codes from the `500 Using the ftp_reply event, we check for error codes from the `500
series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_ series <http://en.wikipedia.org/wiki/List_of_FTP_server_return_codes>`_
for the "USER" and "PASS" commands, representing rejected usernames or for the "USER" and "PASS" commands, representing rejected usernames or
passwords. For this, we can use the :bro:see:`FTP::parse_ftp_reply_code` passwords. For this, we can use the :bro:see:`FTP::parse_ftp_reply_code`
@ -38,9 +38,9 @@ function to break down the reply code and check if the first digit is a
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 52-60 :lines: 52-60
Next, we use the SumStats framework to raise a notice of the attack of Next, we use the SumStats framework to raise a notice of the attack when
the attack when the number of failed attempts exceeds the specified the number of failed attempts exceeds the specified threshold during the
threshold during the measuring interval. measuring interval.
.. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro .. btest-include:: ${BRO_SRC_ROOT}/scripts/policy/protocols/ftp/detect-bruteforcing.bro
:lines: 28-50 :lines: 28-50
@ -56,14 +56,14 @@ Below is the final code for our script.
As a final note, the :doc:`detect-bruteforcing.bro As a final note, the :doc:`detect-bruteforcing.bro
</scripts/policy/protocols/ftp/detect-bruteforcing.bro>` script above is </scripts/policy/protocols/ftp/detect-bruteforcing.bro>` script above is
include with Bro out of the box, so you only need to load it at startup included with Bro out of the box. Use this feature by loading this script
to instruct Bro to detect and notify of FTP bruteforce attacks. during startup.
------------- -------------
Other Attacks Other Attacks
------------- -------------
Detecting SQL Injection attacks Detecting SQL Injection Attacks
------------------------------- -------------------------------
Checking files against known malware hashes Checking files against known malware hashes
@ -76,5 +76,4 @@ list of known malware hashes. Bro simplifies this task by offering a
:doc:`detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>` :doc:`detect-MHR.bro </scripts/policy/frameworks/files/detect-MHR.bro>`
script that creates and compares hashes against the `Malware Hash script that creates and compares hashes against the `Malware Hash
Registry <https://www.team-cymru.org/Services/MHR/>`_ maintained by Team Registry <https://www.team-cymru.org/Services/MHR/>`_ maintained by Team
Cymru. You only need to load this script along with your other scripts Cymru. Use this feature by loading this script during startup.
at startup time.