[Bro] Converting a Bro Script to A New Stream

Chris Crawford christopher.p.crawford at gmail.com
Tue Aug 28 09:00:19 PDT 2012


Foo shows up notice_policy.log too:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice_policy
#fields	position	priority	action	pred	halt	suppress_for
#types	count	count	enum	func	bool	interval
0	10	Notice::ACTION_ADD_GEODATA	anonymous-function\x0a{ \x0areturn
((Notice::n$note in Notice::lookup_location_types));\x0a}	F	-
1	9	Notice::ACTION_NO_SUPPRESS	anonymous-function\x0a{ \x0areturn
((Notice::n$note in Notice::not_suppressed_types));\x0a}	F	-
2	9	Notice::ACTION_NONE	anonymous-function\x0a{ \x0areturn
((Notice::n$note in Notice::ignored_types));\x0a}	T	-
3	8	Notice::ACTION_NONE	anonymous-function\x0a{ \x0aif (Notice::n$note
in Notice::type_suppression_intervals) \x0a\x09{
\x0a\x09Notice::n$suppress_for =
Notice::type_suppression_intervals[Notice::n$note];\x0a\x09return
(T);\x0a\x09}\x0a\x0areturn (F);\x0a}	F	-
4	8	Notice::ACTION_ALARM	anonymous-function\x0a{ \x0areturn
((Notice::n$note in Notice::alarmed_types));\x0a}	F	-
5	8	Notice::ACTION_EMAIL	anonymous-function\x0a{ \x0areturn
((Notice::n$note in Notice::emailed_types));\x0a}	F	-
6	5	Notice::ACTION_EMAIL	anonymous-function\x0a{ \x0areturn (n$note ==
Foo);\x0a}	F	-
7	0	Notice::ACTION_LOG	-	F	-


On Tue, Aug 28, 2012 at 11:55 AM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> One additional note.  Foo is showing up in my notice.log:
>
> #separator \x09
> #set_separator  ,
> #empty_field    (empty)
> #unset_field    -
> #path   notice
> #fields ts      uid     id.orig_h       id.orig_p       id.resp_h       id.resp_p       proto   note    msg     sub     src     dst     p       n       peer_descr      actions policy_items    suppress_for    dropped remote_location.country_code    remote_location.region  remote_location.city    remote_location.latitude        remote_location.longitude       metric_index.host       metric_index.str        metric_index.network
> #types  time    string  addr    port    addr    port    enum    enum    string  string  addr    addr    port    count   string  table[enum]     table[count]    interval        bool    string  string  string  double  double  addr    string  subnet
> 1345028672.101773       -       -       -       -       -       -       Foo     Foo
> detected.       -       -       -       -       -       bro     Notice::ACTION_LOG,Notice::ACTION_EMAIL 7,6     3600.000000     F       -       -       -       -       -       -       -       -
>
> So, the notice framework seems to be doing something.
>
> -Chris
>
>
> On Mon, Aug 27, 2012 at 5:49 PM, Chris Crawford
> <christopher.p.crawford at gmail.com> wrote:
>> Looks like the code didn't post.
>>
>> For the benefit of the mailing list, this is what the script looks like:
>>
>> export {
>>         redef Notice::mail_dest = "email_address at inet.com";
>>
>>         redef enum Notice::Type += {
>>                 Foo,
>>         };
>>
>>         redef Notice::emailed_types += {
>>                 Foo,
>>         };
>> }
>>
>>
>>
>> redef Notice::policy += {
>>   [$pred(n: Notice::Info) = {
>>      return n$note == Foo;
>>    },
>>    $action = Notice::ACTION_EMAIL]
>>   };
>>
>> event bro_init()
>>         {
>>         local filter: Log::Filter = [
>>                 $name="poison_hits",
>>                 $path="poison_hits",
>>                 $pred(rec: DNS::Info) = {
>>                         if ( rec?$qtype_name && rec?$answers &&
>> rec$qtype_name == "A" )
>>                                 {
>>                                 for ( i in rec$answers )
>>                                         if ( "1.2.3.4" in rec$answers[i] )
>>                                                 {
>>                                                 NOTICE([$note=Foo,
>> $msg="Foo detected."]);
>>                                                 return T;
>>                                                 }
>>                                 }
>>                         return F;
>>                 },
>>                 $include=set("ts", "uid", "id.orig_h", "query")];
>>         Log::add_filter(DNS::LOG, filter);
>>         }
>>
>>
>> On Mon, Aug 27, 2012 at 5:48 PM, Chris Crawford
>> <christopher.p.crawford at gmail.com> wrote:
>>> Thanks, Seth.  This works great, and it gives me better insight into
>>> how to write my own bro scripts.
>>>
>>> Now, I feel like my follow up question has an obvious answer, but I'm
>>> just not seeing it --
>>>
>>> Let's say I want to also email the alert, in addition to logging it.
>>> I've added a notice statement, an attempted to redefine
>>> Notice::mail_dest and Notice::policy as outlined in the bro docs:
>>> http://www.bro-ids.org/documentation/notice.html
>>>
>>> When I run the script, though, I don't receive an email.  I know that
>>> bro's email is working, because I am receiving hourly reports.  What
>>> am I missing?
>>>
>>> Attached the script, but if it doesn't post to the list, I'll follow
>>> up this post with the code.
>>>
>>> -Chris
>>>
>>> On Mon, Aug 20, 2012 at 10:42 AM, Seth Hall <seth at icir.org> wrote:
>>>>
>>>> On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>>>>
>>>>> redef record rec += {
>>>>>        foo: Info &optional;
>>>>> };
>>>>
>>>>> error in ./test.bro, line 22: unknown identifier (Foo::rec)
>>>>> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
>>>>
>>>> I don't think you need that little chunk of code I left above.  We do that in many base scripts as a way of hiding protocol specific information within the connection record.  There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
>>>>
>>>> There is a better way to do this though and it was something we specifically considered in the logging framework.  Here's a log filter you can run that will give you the log you want…
>>>>
>>>> event bro_init()
>>>>         {
>>>>         local filter: Log::Filter = [
>>>>                 $name="only-1.2.3.4",
>>>>                 $path="foo",
>>>>                 $pred(rec: DNS::Info) = {
>>>>                         if ( rec?$qtype_name && rec?$answers &&
>>>>                              rec$qtype_name == "A" )
>>>>                                 {
>>>>                                 for ( i in rec$answers )
>>>>                                         if ( "1.2.3.4" in rec$answers[i] )
>>>>                                                 return T;
>>>>                                 }
>>>>                         return F;
>>>>                 },
>>>>                 $include=set("ts", "uid", "id.orig_h", "query")];
>>>>         Log::add_filter(DNS::LOG, filter);
>>>>         }
>>>>
>>>> --
>>>> Seth Hall
>>>> International Computer Science Institute
>>>> (Bro) because everyone has a network
>>>> http://www.bro-ids.org/
>>>>




More information about the Bro mailing list