[Bro] loading modules and automatically using custom scripts

clautos sebclaut at gmail.com
Tue Sep 6 06:44:32 PDT 2016


I have 2 questions:
1) how to load custom scripts in the core of Bro ?
2) is the extract files script different because it's not in the "policy"
folder ?

I'm trying to understand how Bro custom scripts work.
As far as I understand, custom scripts are supposed to go in the "policy"
section,and then are called from the local.bro script.
To test this behavior I created a script that flags every DNS query.
It just generates a notice and logs it.
I run bro on my nslookups pcap (specifying the dns logger script in the
command line) and it works, but when I add : @load dummy/dummy-dns to
local.bro and just run bro without specifying the additional file I see no
notice.log file. (my script is in the folder
/opt/bro/share/bro/policy/dummy that I created for the occasion)

Then my problem is with extracting files, my local.bro contains:
@load file-extraction/extract (in the folder /opt/bro/share/bro) and it
doesn't extract files if I just run bro without specifying the script in
the command line.

broctl scripts shows my scripts so I thought they were used now by the bro
instance but nothing. It doesn't log the files I download, it doesn't
notice me when I do a DNS query.
How to do that in Bro and use custom script by default for all the incoming
traffic ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160906/7affd1c2/attachment.html 

More information about the Bro mailing list