In this exercise, we will change some of Bro's default parameters, such as notice policy and packet filter. For all of the following, use again the trace trace-1.pcap.

  1. White-listing and black-listing.

    1. Tune the scan.bro policy to not generate any PortScan notices for the host 10.20.11.60.

    2. Adapt ftp.bro so that it considers evil.tar.gz a sensitive filename and alarms once it sees that being requested.

  2. Adapting the notice reporting.

    1. Adapt the table notice_action_filters (defined in notice.bro) so that AddressScans are filed only into notice.log, not into alarm.log anymore.

    2. Extend Bro's notice_policy (likewise defined in notice.bro) so that PortScans from 10.20.11.60 are not reported as alarms.

    3. Compare the white-listing as done in (b) with (1a). What's the difference?

  3. Adapting capture/restrict filters.

    1. Include TCP port 2222 into Bro's capture filter and configure the SSH analyzer to examine connections on that port. How does ssh.log change?

    2. Adapt Bro's packet filter so that it excludes the host 10.20.11.60 from any analysis.

      .

Hints

  • Use redef to change the default values configuration options.

  • Take a look at scan.bro and ftp.bro to see what options they offer for tuning.

  • See notice-policy.bro for examples of adjusting the notice reporting.

  • capture_filters and restrict_filters control Bro's packet filter and are defined in pcap.bro.