[Bro] creating bro scripts
anthony.kasza at gmail.com
Wed Aug 14 08:20:13 PDT 2013
See the 'raising notices' section here
On Aug 14, 2013 8:07 AM, "John Babio" <jbabio at po-box.esu.edu> wrote:
> Thanks Anthony,
> Here is what I have so far. How do I create a notice out of it?
> event dns_request(c: connection, msg: dns_msg, query: string, qtype:
> count, qclass: count) &priority=5
> if ( c$dns$qtype == PTR )
> From: anthony kasza <anthony.kasza at gmail.com<mailto:
> anthony.kasza at gmail.com>>
> Date: Tuesday, August 13, 2013 7:42 PM
> To: John Babio <jbabio at po-box.esu.edu<mailto:jbabio at po-box.esu.edu>>
> Subject: Re: [Bro] creating bro scripts
> Determine the event you want to act on (sounds like you want dns_request)
> and write a code block for it. Put that into a file and call it when you
> run Bro or load the file in the local.bro script.
> Check out Liam Randall's fire scripts on github. They print to screen or
> count when an event occurs.
> On Aug 13, 2013 4:32 PM, "John Babio" <jbabio at po-box.esu.edu<mailto:
> jbabio at po-box.esu.edu>> wrote:
> I wanted to start working on something to get aquainted with the bro
> programming. I figured DNS might be a good start. It seems to be the way I
> learn the best and I learned python this way. My goals are maybe create
> something simple that displays a notice for a particular query type, PTR,
> NS, MX etc.
> Where is there a good example of how I go about this? Inside of
> policy/protocols/dns ?
> Once I create this I can call it from local.bro correct?
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro