[Bro] vector array of string used as a pattern for matching

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Feb 28 07:46:03 PST 2014

Thank you!

This is for a script that alerts on large outgoing Tx's.  So the domain lookups are not going to be that frequent; at least they better not be.  

Hopefully I'll get some time next week to work this solution in.  Wish I had more time to spend on Bro.  It is an incredible and invaluable tool for any NSM solution.

Thank you,
Brian Kellogg
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Friday, February 28, 2014 10:12 AM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] vector array of string used as a pattern for matching

On Feb 27, 2014, at 2:23 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:

> I'm trying to create an array of domain names that I want to use as a 
> pattern to search on.  I know the below is wrong; just looking for 
> someone to educate me on how to do this in a Bro script if it can be 
> done.  thanks

# Create a set of domain suffixes.
global ignore_domains = set(".webex.com", ".pwc.com", ".messagelabs.com", ".akamaitechnologies.com"); # Create an empty pattern where we're going to automatically create.
global my_domain_suffixes = /MATCH_NOTHING/; # There is bug with setting blank patterns at the moment.

event bro_init() &priority=10
	# Create the my_domain_suffixes pattern by auto constructing it from the ignore_domains set.
	my_domain_suffixes = set_to_regex(ignore_domains, "(^\\.?|\\.)(~~)$");

# I'll give an example event like you want.
event whatever(c: connection)
	when (local name = lookup_addr(c$id$resp_h))
		if (my_domain_suffixes in name)

One thing to keep in mind with this script is the amount of DNS traffic you could easily cause if you handle an event that fires a lot (like the connection_established event).  You may want to do some name caching or restrictions for when the look ups are done.  We are also getting some evidence that overusing when statements is causing trouble for a few people.

Please when you are writing scripts, put them into a namespace (with "module MySpecialModule;" at the beginning of your script) to help us avoid stomping on identifier names that you are using.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list