[Bro] vector array of string used as a pattern for matching

Jim Mellander jmellander at lbl.gov
Thu Feb 27 12:28:31 PST 2014


I wrote some fairly elaborate code (called Stomper) a number of years ago
that performed URL/domain matching on a blacklist, and killed the
connections in realtime, probably could be adapted to your use case.  Aside
from the other actions, the domain matching is done by successively
splitting the domain into smaller parts & check for set membership

An example - given a domain www.badguy.com we would check:

www.badguy.com
badguy.com
.com

for membership in the set, and act on it accordingly - of course, unless
you're interested in tracking by TLD you wouldn't go all the way down to
.com, in this example.

If you're interested in the code, contact me offline




On Thu, Feb 27, 2014 at 11:58 AM, Kellogg, Brian D (OLN) <
bkellogg at dresser-rand.com> wrote:

>  Thanks, I thought of that as well.  I was trying to not use a loop if at
> all possible.
>
>
>
> Thanks,
>
> Brian
>
>
>
> *From:* anthony kasza [mailto:anthony.kasza at gmail.com]
> *Sent:* Thursday, February 27, 2014 2:56 PM
> *To:* Kellogg, Brian D (OLN)
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] vector array of string used as a pattern for matching
>
>
>
> You could use a set of patterns.
>
> foo: set[pattern] = YourPatterns
> for (each in foo)
> {
>   if (each in DomainInQuestion)
>     DoSomething
> }
>
> -AK
>
> On Feb 27, 2014 11:44 AM, "Kellogg, Brian D (OLN)" <
> bkellogg at dresser-rand.com> wrote:
>
> I'm trying to create an array of domain names that I want to use as a
> pattern to search on.  I know the below is wrong; just looking for someone
> to educate me on how to do this in a Bro script if it can be done.  thanks
>
>
>
> global ignoreDomains: vector of string = vector("webex.com", "pwc.com", "
> messagelabs.com","akamaitechnologies.com");
>
>
>
>                 when (local dst = lookup_addr(c$id$resp_h))
>
>                         {
>
>                         if (/ignoreDomains$/ in dst)
>
>                                 return;
>
>                         }
>
>
>
>
>
> Thank you,
>
> *Brian Kellogg*
>
> Security Analyst; IT Governance, Risk, and Compliance
>
> 500 Paul Clark Drive, Olean,  NY 14760
>
> T: (716) 375-3186 | F: (716) 375-3557
>
> www.dresser-rand.com     NYSE: DRC
>
>
>
> [image: Description: Description: Description: Description: Description:
> Description: d-r_wordraster3R-hi]
>
> Bringing energy and the environment into harmony(R)
>
>
> *IMPORTANT NOTICE: This email may be confidential, may be legally
> privileged, and is for the intended recipient only. Unauthorized access,
> disclosure, copying, distribution, or reliance on any of it by anyone else
> is prohibited and may be a criminal offense. Please delete if obtained in
> error and email confirmation to the sender.*
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140227/c2941382/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2366 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140227/c2941382/attachment.jpg 


More information about the Bro mailing list