[Bro] couple of questions

Christian Kreibich christian at whoop.org
Tue Mar 21 07:32:51 PST 2006

Hi Jake,

On Tue, 2006-03-21 at 14:57 +0000, jbabbin at comcast.net wrote:
> List, 
> I have a couple of questions that I can't seem to figure out. 
> 1) Brian - Thanks for the SSL patch 
>    Once enabled I don't see any way of filtering out hosts from the
> non-ssl traffic alarm. For example, I have several custom applications
> that use that port for their traffic...don't ask...so I need to be
> able to filter them out of the alarms like below. 
> "1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https:
> SSL: Skipping connection (not an SSL connection?!)!" 
> The problem seems to be that the detection of non-ssl traffic is done
> in the source SSLProxy engine and I don't really want to be
> recompiling every time I need to add another host. Ideas? 

have a look at weird_ignore_host set, defined in weird.bro. It allows
you to filter weird-type events based on the event string and source/
destination IP addresses.


Depending on your analysis needs, you could also exclude the custom
traffic via the pcap filtering expression, though I'd imagine that
quickly gets tedious.

> 2) Is is possible in a policy file to perform a size comparison on a
> string? 
> For example, if you wanted to see if a filename was longer than a
> certain length. How would you sizeof a string value? 

Sure. It depends on what version of Bro you're using. In the development
releases, there's now a magnitude operator |x| that, when given a value,
returns its length, size, or whatever is most meaningful as magnitude
(vector length, table size, string length, etc). In older releases (0.9
and before), the byte_len() function returned a string's length.


More information about the Bro mailing list