[Bro] Bro Digest, Vol 113, Issue 31

Hashem Alaidaros aidaros.dev at gmail.com
Sun Sep 20 15:39:25 PDT 2015


Thanks Jan for your reply.
Actually I was trying with packet filter framework before, but I found it
to let "exclude" traffic based on IP's, but in my case is opposite, I want
to "include" only and let traffic on my Blacklist IP's through to Bro. On
the other way, I want to tell Bro, if the incoming IP address is matching
with the blacklist file, then capture that file and analyze it, otherwise
ignore (or drop) it.
Correct me if I'm wrong.
I hope I can find the answer in this mailing list.

On Sun, Sep 20, 2015 at 10:00 PM, <bro-request at bro.org> wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
>
> You can reach the person managing the list at
>         bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. I want to capture certain traffic using input framework
>       (Hashem Alaidaros)
>    2. Re: I want to capture certain traffic using input framework
>       (Jan Grashoefer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 20 Sep 2015 14:54:39 +0300
> From: Hashem Alaidaros <aidaros.dev at gmail.com>
> Subject: [Bro] I want to capture certain traffic using input framework
> To: bro at bro.org
> Message-ID:
>         <CAFmcO-Ef1d10A_GskB359cNxfrshpw=
> DW2wE5WuLr+1zvTXjHw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi All
>
> I used input framework blacklist approach (
> https://www.bro.org/sphinx/frameworks/input.html) that let Bro script read
> (IP's) from a file (log file) that is dynamically written from other bro
> instance.
> I managed to read blacklist IPs from blacklist file.
>
> My goal is to let bro to only capture and process live packets that match
> those blacklist IPs But there is an issue that the event captures all
> incoming packets.
> The following event capture and process all packets before it read and
> match with the file. For example, once the following bro run, all incoming
> traffic is processed in this event, regardless blacklist match:
>
> event signature_match(state: signature_state, msg: string, data: string)
> {
>
> if(state$conn$id$orig_h in blacklist) {    do analysis   }
> }
>
> 1. Is there any way to filter the incoming traffic in bro based on input
> framework blacklist?
>
> FYI: I can use BPF (bro -f file.log), but in this case the issue is that
> bro has to be restart many times since the file keep adding new IPs so that
> the file.log is to be updated. I also find exclude filter function but that
> exclude, I want to include certain traffic to captured.
>
> 2. Can an event be provoked when only it pass a condition. for example, in
> my case, can I say:
>
> if (state$conn$id$orig_h in blacklist) {
> event signature_match(state: signature_state, msg: string, data: string)
> {
> print fmt("IRC bot Match!!! in %s",state$conn$id$orig_h);
> }
>
> elso {  "do nothing"  }
>
> If not, is there any way to make an event run when only pass if statement?
>
> Bro version 2.3
>
> Thanks in advance
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150920/7b8273c5/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sun, 20 Sep 2015 15:25:00 +0200
> From: Jan Grashoefer <jan.grashofer at cern.ch>
> Subject: Re: [Bro] I want to capture certain traffic using input
>         framework
> To: <bro at bro.org>
> Message-ID: <55FEB3AC.1040703 at cern.ch>
> Content-Type: text/plain; charset="windows-1252"
>
> Hi,
>
> > FYI: I can use BPF (bro -f file.log), but in this case the issue is that
> > bro has to be restart many times since the file keep adding new IPs so
> that
> > the file.log is to be updated. I also find exclude filter function but
> that
> > exclude, I want to include certain traffic to captured.
>
> you can use the packet filter framework (see
>
> https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html
> )
> to install your filter live.
>
> Regards,
> Jan
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 113, Issue 31
> ************************************
>



-- 
A friend in need Is a friend indeed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150921/da5b93df/attachment.html 


More information about the Bro mailing list