[Bro] processing all Notices

Aashish SHARMA init.conf at gmail.com
Fri May 3 16:57:53 PDT 2013


[Not sure if my previous reply went through - resending]

Hello David:

I have a very simple script which counts number of notices per source and generates another notice. The new notice can be escalation to a different action (Action::EMAIL or ACTION::DROP etc). 

Consider this  version 0.1 but you will get a good idea from this.  I want to include another threshold for generating a notice if N distinct notice_types per source are seen. Additionally, such heuristics can be extended further. 

Policy file attached. 

Aashish 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: notice_count.bro
Type: application/octet-stream
Size: 1789 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130503/6bacf2ff/attachment.obj 
-------------- next part --------------


On May 3, 2013, at 3:59 PM, David Mandelberg <david at mandelberg.org> wrote:

> Hi,
> 
> Is there a good way to process all Notices without having any effect on
> the Notices? Something like "event new_notice(n: Notice::Info)" would be
> great.
> 
> (I'm trying to write a script to correlate multiple Notices and modify
> firewall rules as appropriate.)
> 
> -- 
> David Eric Mandelberg / dseomn
> http://david.mandelberg.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list