[Bro] How should I be calling an external script from Bro?

Eric Hacecky hacecky at jlab.org
Tue Mar 15 14:15:44 PDT 2016


Justin,

Thanks for the guidance, that got me on the right path.

Here's where I am:

IPBlock.bro
//
module IPBLOCK;

export
{
        redef enum Notice::Action +=
        {
                ACTION_IPBLOCK,
        };

const block_types: set[Notice::Type] = {} &redef;

}

hook Notice::policy(n: Notice::Info)
{
        add n$actions[ACTION_IPBLOCK];

        local cmd = string_cat("/usr/bin/python /usr/local/bro/share/bro/site/scripts/blockIP.py -a Bro -c 'SQL Injection' -t 72", n$src);

        local res = Exec::run([$cmd=cmd]);
}
//

local.bro
//
@load IPBlocker.bro

redef IPBLOCK::block_types +=
{
        HTTP::SQL_Injection_Attacker,
};
//

-----------------

broctl takes it fine with no errors (not verified as working).

I still don't understand what line 63 from your module is doing:
//
when (local res = Exec::run([$cmd=cmd, $stdin=stdin])
//

What is local res?  I don't understand how that is executing the command.

Regards,
Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Monday, March 14, 2016 5:03:42 PM
Subject: Re: [Bro] How should I be calling an external script from Bro?

Hi,

This repo has code in it that does everything you are trying to do:

https://github.com/ncsa/bhr-bro

You should be able to see how to modify it for your environment.

This video details how the Exec works:

https://www.youtube.com/watch?v=oo4zDC24xHU

-- 
- Justin Azoff

> On Mar 14, 2016, at 4:48 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> New to Bro.  Trying to make sure I follow best practice here configuring it for my environment.
> 
> Currently Bro generates an email alert for HTTP::SQL_Injection_Attacker from detect-sqli.bro.
> 
> I wrote a python script to accept some parameters, including the attacker's IP that will put in a block at my firewall.
> 
> I was just going to tail Bro's notice.log and pull out the IP to feed my script anytime a SQL attack was logged there, but I figured it would be better to get Bro to do some of that lifting for me instead.
> 
> Being new to bro, I don't know how to do this.
> 
> I've googled around a bit and this is my best guess.  (definitely a guess)
> 
> - Exec module is the best way to go about this?
> 
> - If so, I'm going to do what...make a something.bro file that basically says
> 
> @load base/utils/exec
> 
> when ( <something indicating SQL_Injection_Attacker> happens = Exec::run($cmd="myScript.py 55.66.77.88 -time 720") )
> 
> - Then I would @load something.bro in my local.bro file
> 
> -----------
> 
> Assuming that's the gist of it, how am I supposed to figure out what event to look for?
> 
> when ( HTTP::SQL_Injection_Attacker )?
> 
> Every example I look at has uses 'local result' instead.  Ex.  https://github.com/sooshie/bro-scripts/blob/master/misc/vt_check.bro
> 
> when (local result = Exec::run).    Why?  I don't see result defined anywhere previously?  I don't understand how that condition is ever met.
> 
> How do I make bro pass the IP to my script?
> 
> Exec::run($cmd="myScript.py [$host=c$id$orig_h]")?
> 
> Thanks,
> Eric
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list