Custom Bro Scripts

95 views
Skip to first unread message

jesse...@gmail.com

unread,
Dec 27, 2016, 8:34:36 PM12/27/16
to security-onion
Hello all,

Does anybody utilize custom bro scripts, or have found use for publicly available bro scripts? They seem interesting, but I am unsure if they're useful because it seems as though the same data is captured by Snort and the pcap agent. I was looking at the ones made by CrowdStrike and have tested the tor one, and it does work; however, it offers no more information that the results of the TOR ET Snort rule fire provides. Does anybody use these or other bro scripts that don't come with SO by default? Thanks.

https://github.com/CrowdStrike/cs-bro

Wes

unread,
Dec 27, 2016, 8:59:29 PM12/27/16
to security-onion

Jesse,

Custom Bro scripts can be very useful. Keep in mind, Bro, by default, is policy neutral, so you can define any type of action you wish to enact once a certain event is triggered, whether it is considered "malicious" or not. Bro does not consider any type of event "good" or "bad". This allows for a great amount of flexibility when processing/responding to/cataloging events, in that it allows you, the analyst, to define how to handle/categorize them. Snort is rule/signature-based in that if traffic matches a particular pattern or set of constraints, it labels it as "bad", and alerts you. These, of course, are different techniques/strategies, and each have their own pros/cons.

Thanks,
Wes

Reply all
Reply to author
Forward
0 new messages