[Bro] [Bro type clash]

Eugene Dautzenberg edautz at gmail.com
Thu Nov 24 13:39:26 PST 2016



Your reply solves my syntax error, but I want to use an external script to
push a message to my Phone when a notice occur.


When I have an Intel hit and an port scan I see the notice.log filled. 



#separator \x09

#set_separator ,

#empty_field   (empty)

#unset_field   -

#path   notice

#open   2016-11-24-22-26-05

#fields ts      uid     id.orig_h      id.orig_p      id.resp_h
id.resp_p      fuid        file_mime_type file_desc      proto   note    msg
sub     src     dst     p       n        peer_descr     actions suppress_for
dropped remote_location.country_code        remote_location.region
remote_location.city   remote_location.latitude

#types  time    string  addr    port    addr    port    string  string
string  enum    enum        string  string  addr    addr    port    count
string  set[enum]      interval        bool    string  string  string
double  double

1480022763.168490      Cim1y02Kw1ySXSCjFb    43632   80      -        -       -       tcp     Intel::Notice  Intel
hit on at HTTP::IN_HOST_HEADER   80      -       bro
Notice::ACTION_EMAIL,Notice::ACTION_LOG       0.000000       F       -
-       -        -       -

1480022784.174025      -       -       -       -       -       -       -
-       -        Scan::Port_Scan scanned at least 15 unique
ports of host in 0m1s    local
-       -       bro        Notice::ACTION_EMAIL,Notice::ACTION_LOG
0.000000       F       -       -       -        -       -


In my local.bro I do an hook in the notice function


hook Notice::policy(n: Notice::Info)


            add n$actions[Notice::ACTION_EMAIL];

           if (n$id?$orig_h)



               local cmd = fmt(cat("/home/pi/scripts/pushover_notify
Bro_alert src: ",n$id$orig_h," ",n$msg));






            cmd = fmt(cat("/home/pi/scripts/pushover_notify Bro_alert





But the else part is not executed with the port scan despite the id.orig_h
in the notice.log contains an - so the then should be false on an portscan.


Can you help me out? 




Van: Daniel Guerra [mailto:daniel.guerra69 at gmail.com] 
Verzonden: donderdag 24 november 2016 19:36
Aan: Zeolla at GMail.com
CC: Eugene Dautzenberg; bro at bro.org
Onderwerp: Re: [Bro] [Bro type clash]


Check if present first.

if (n$id?orig_h)

 if (n$id$orig_h =





On 24 Nov 2016, at 19:23, Zeolla at GMail.com <zeolla at gmail.com> wrote:


Have you tried n$id?$orig_h ?  Should return true if it is set.  Are you
concerned that it may contain something but it isn't a valid IP?  

Also, I believe "-" is just a representation of an unset field for the log


On Thu, Nov 24, 2016, 13:06 Eugene Dautzenberg <edautz at gmail.com> wrote:

I want to check if


contains a valid ip address.

But when I use and if comparison something like.

If ( n$id$orig_h = "-" )

I got a type clash (string and cmd) error.

How to solve this?


Verstuurd vanaf mijn iPhone
Bro mailing list
bro at bro-ids.org



Sent from my mobile device

Bro mailing list
bro at bro-ids.org


Dit e-mailbericht is gecontroleerd op virussen met Avast antivirussoftware.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161124/b28bb396/attachment-0001.html 

More information about the Bro mailing list