Bro Workshop Exercise 1

Exercise 1: Basic Bro Operation

Run Bro on a trace file: Input file: trace1.tcpdump and buffer-overlow-attack.tcpdump

First, create a file mysite.bro that sets local_nets for 10.20.1.0/24:

Then run bro with the following analyzers : tcp alarm weird

look at the log files: (alarm.log, notice.log, conn.log, http.log, etc.)

Try some other analyzers, and look at log files:

    bro -r trace1.tcpdump tcp alarm weird ftp smtp
    bro -r buffer-overflow-attack.tcpdump tcp alarm weird ftp 
    bro -r trace1.tcpdump scan alarm weird

What is the capture filter for each of the above?

Modify capture/restrict filters:

a) Add port 2222 to capture filter and tell ssh analyzer to look at port 2222,

b) restrict host 10.20.11.75 from Bro's packet filter

Whitelist exercise:

Tune scan.bro policy to not generate PortScan Notice for host 10.20.11.92

notice_policy exercises:

a) Use 'notice_action_filters' to send notices to notice file only, not alarm file, for the following notices:

WeirdActivity, BackscatterSeen, RetransmissionInconsistency

b) Dont generate alarm (only notice) for host 10.20.11.75

Other stuff to try:

redef use_tagging = T;