[Bro] vector array of string used as a pattern for matching

Seth Hall seth at icir.org
Fri Feb 28 07:12:23 PST 2014


On Feb 27, 2014, at 2:23 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:

> I’m trying to create an array of domain names that I want to use as a pattern to search on.  I know the below is wrong; just looking for someone to educate me on how to do this in a Bro script if it can be done.  thanks

# Create a set of domain suffixes.
global ignore_domains = set(".webex.com", ".pwc.com", ".messagelabs.com", ".akamaitechnologies.com");
# Create an empty pattern where we're going to automatically create.
global my_domain_suffixes = /MATCH_NOTHING/; # There is bug with setting blank patterns at the moment.

event bro_init() &priority=10
	{
	# Create the my_domain_suffixes pattern by auto constructing it from the ignore_domains set.
	my_domain_suffixes = set_to_regex(ignore_domains, "(^\\.?|\\.)(~~)$");
	}

# I'll give an example event like you want.
event whatever(c: connection)
	{
	when (local name = lookup_addr(c$id$resp_h))
		{
		if (my_domain_suffixes in name)
			return;
		}
	}


One thing to keep in mind with this script is the amount of DNS traffic you could easily cause if you handle an event that fires a lot (like the connection_established event).  You may want to do some name caching or restrictions for when the look ups are done.  We are also getting some evidence that overusing when statements is causing trouble for a few people.

Please when you are writing scripts, put them into a namespace (with "module MySpecialModule;" at the beginning of your script) to help us avoid stomping on identifier names that you are using.

Thanks,
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140228/f8f4bc60/attachment.bin 


More information about the Bro mailing list