[Bro] Bro programming intro
rjenkins at rmjconsulting.net
Tue Mar 19 08:29:55 PDT 2013
When are you all planning the next release version?
Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA)
RMJ Consulting, LLC. "Bringing Companies and Solutions Together"
Makers of Active Response System(ARS) & Log Siphon
Owner / Senior Architect
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Email. rjenkins at rmjconsulting.net
Log Siphon. http://www.logsiphon.com
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall
Sent: Tuesday, March 19, 2013 10:13 AM
To: Tritium Cat
Cc: bro at bro-ids.org
Subject: Re: [Bro] Bro programming intro
On Mar 18, 2013, at 8:03 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
> I want to modify the SQL Injection detection in policy/protocols/http/detect-sqli.bro to include a vector that tracks the associated http request uids and includes them in an additional log field. After getting it working I would like to apply it generally to other Notices such as SSH Password_Guessing.
The upcoming release actually results in this script getting rewritten a bit because of a rewrite of the metrics (now measurement) framework. The new version actually keeps samples of the requests. It will be relatively easy to write your own script that tracks uid's instead of urls but the benefit to sampling the urls is that if you have Bro send you email for the notice it will add those sample urls to the email (it's been very convenient for determining if something is a false positive without even searching logs).
Otherwise, with the metrics framework in 2.1 there isn't a good way to do it.
International Computer Science Institute
(Bro) because everyone has a network
Bro mailing list
bro at bro-ids.org
More information about the Bro