[Bro] Bro Scripting Question
seth at icir.org
Fri Oct 14 06:40:58 PDT 2011
On Oct 13, 2011, at 5:38 PM, William Seemann wrote:
> From what I can gather is seems like the new_connection event would be
> an obvious place to perform my checks since it is called for inbound and
> outbound connections. Does this sound like the correct approach? Also,
> is there a simple way to determine what service(s) a host is running
> (smtp, ssh, etc)?
There is a script in the next release that is a variant on what you are looking to do. I even went back and fixed it recently since it was pretty badly broken.
Clone our git repository and look at the script: scripts/policy/protocols/conn/known-services.bro 
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro