[Bro] Bro Scripting Question

William Seemann wseemann at gmail.com
Thu Oct 13 14:38:00 PDT 2011

     I'm new to the world of Bro but I'm attempting to complete a small 
project for a graduate level class at the University of Illinois. The 
concept of the project is to define a set of policy files for a few core 
host services  (SMTP, DNS, WEB SERVER). Each service specific policy 
file would ensure that only allowed hosts are running that service. The 
policy file would also ensure that each allowed host is only running a 
specified set of services. With that said, I started writing the policy 
files but had a few questions.

 From what I can gather is seems like the new_connection event would be 
an obvious place to perform my checks since it is called for inbound and 
outbound connections. Does this sound like the correct approach? Also, 
is there a simple way to determine what service(s) a host is running 
(smtp, ssh, etc)? In other words, if a host is making an outbound 
connection is there any easy way to tie the traffic to a specific 
service? Right now I'm just logging connections but I'm wondering if 
there is an easier way to determine the service other then trying to tie 
port traffic to a potential service.

I would appreciate any suggestions or advice you could send my way. 
Thanks in advance - William Seemann

More information about the Bro mailing list