[Bro] adding srcip to correlation script

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Mon Jan 12 05:32:36 PST 2015


Thanks for the response.

I tried something similar already, but it wants the connection unique ID field filed as well and haven't figured out how to handle that yet.  Haven't had time to play with it beyond my first attempt.  Thanks


-----Original Message-----
From: Josh Liburdi [mailto:liburdi.joshua at gmail.com] 
Sent: Friday, January 09, 2015 8:36 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] adding srcip to correlation script

Hi Brian,

I wrote the script you're referring to, so hopefully I can help.
(Sorry for taking so long to reply to your message, I meant to do this earlier but haven't had time.)

I don't use ELSA, but based on your description it sounds like it parses the Bro notice c$id fields and not the src or dst fields. This script doesn't use the c$id fields since no connection record exists after correlation has taken place; the only field containing a connection artifact is the src field, so that is the field you would want to groupby. It sounds like the fix for this could be in ELSA, but if you'd like to alter the Bro script to support the ELSA srcip field as it is now, then this (ugly solution) should work:

Change this line in each notice: $src=idx, To this: $id=[$orig_h=idx,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],

By doing that, we're faking a full connection record to get the idx value into the c$id$orig_h field (and thus the srcip field in ELSA).

Hope this helps! Let me know if I was way off base.

Josh

On Fri, Jan 2, 2015 at 8:46 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> I’m working with the correlation script released by CrowdStrike, thank 
> you BTW, and I want to populated the “srcip” field with the correct 
> source IP so that I can do a groupby on that field in ELSA.  How do I 
> get the conn record for this connection into the below function so 
> that I can add $conn=c to the notice?  Not sure what the best way to 
> do this is; can I just add it to the function arguments or define “c” 
> as a local and then assign the source IP, “idx” in this case, to c$id$orig_h.
>
>
>
> function alerts_out(t: table[addr] of set[string], idx: addr): 
> interval
>
>
>
>
>
> thanks,
>
> Brian
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list