[Bro] I want to capture certain traffic using input framework

Hashem Alaidaros aidaros.dev at gmail.com
Sun Sep 20 04:54:39 PDT 2015


Hi All

I used input framework blacklist approach (
https://www.bro.org/sphinx/frameworks/input.html) that let Bro script read
(IP's) from a file (log file) that is dynamically written from other bro
instance.
I managed to read blacklist IPs from blacklist file.

My goal is to let bro to only capture and process live packets that match
those blacklist IPs But there is an issue that the event captures all
incoming packets.
The following event capture and process all packets before it read and
match with the file. For example, once the following bro run, all incoming
traffic is processed in this event, regardless blacklist match:

event signature_match(state: signature_state, msg: string, data: string)
{

if(state$conn$id$orig_h in blacklist) {    do analysis   }
}

1. Is there any way to filter the incoming traffic in bro based on input
framework blacklist?

FYI: I can use BPF (bro -f file.log), but in this case the issue is that
bro has to be restart many times since the file keep adding new IPs so that
the file.log is to be updated. I also find exclude filter function but that
exclude, I want to include certain traffic to captured.

2. Can an event be provoked when only it pass a condition. for example, in
my case, can I say:

if (state$conn$id$orig_h in blacklist) {
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt("IRC bot Match!!! in %s",state$conn$id$orig_h);
}

elso {  "do nothing"  }

If not, is there any way to make an event run when only pass if statement?

Bro version 2.3

Thanks in advance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150920/7b8273c5/attachment.html 


More information about the Bro mailing list