[Bro] Bro Scripting Question
wseemann at gmail.com
Thu Oct 13 14:38:00 PDT 2011
I'm new to the world of Bro but I'm attempting to complete a small
project for a graduate level class at the University of Illinois. The
concept of the project is to define a set of policy files for a few core
host services (SMTP, DNS, WEB SERVER). Each service specific policy
file would ensure that only allowed hosts are running that service. The
policy file would also ensure that each allowed host is only running a
specified set of services. With that said, I started writing the policy
files but had a few questions.
From what I can gather is seems like the new_connection event would be
an obvious place to perform my checks since it is called for inbound and
outbound connections. Does this sound like the correct approach? Also,
is there a simple way to determine what service(s) a host is running
(smtp, ssh, etc)? In other words, if a host is making an outbound
connection is there any easy way to tie the traffic to a specific
service? Right now I'm just logging connections but I'm wondering if
there is an easier way to determine the service other then trying to tie
port traffic to a potential service.
I would appreciate any suggestions or advice you could send my way.
Thanks in advance - William Seemann
More information about the Bro