[Bro] NetControl configuration

Johanna Amann johanna at icir.org
Wed Apr 5 09:30:51 PDT 2017


Hi,

The script excerpt is not quite long enough to see what exactly is going
on here (it does, for example, not show where conn_id is coming from and
how you defined it).

Could you perhaps just post the complete script in its current state?

Johanna

On Thu, Mar 30, 2017 at 02:32:51PM +0000, Andrew Dellana wrote:
> Got around to adding net control to all the scripts, and now they are failing. The script is FoxIT's ransomware script.  Any idea how I can get this to work?
> 
> 
> event NetControl::init()
> {
> NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
> }
> 
> 
> hook Notice::policy(n: Notice::Info)
>         {
>         if fox_entropy=T Then
>                 add n$actions[Notice::ACTION_DROP]
>                 add n$actions[Notice::ACTION_EMAIL];
>         }
> 
> 
> 
> 
> error in /opt/bro/share/bro/base/init-bare.bro, lines 123-127 and /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: type clash (conn_id and conn_id)
> error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127 and /opt/bro/share/bro/base/init-bare.bro, lines 123-127: type mismatch (conn_id and conn_id)
> error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: argument type mismatch in function call (NetControl::drop_connection(conn_id, 0, Cyrpto Blocked))
> error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 128: syntax error, at or near "}"
> 
> 
> Freundliche Grüße / Best regards,
> 
> Andrew Dellana
> Intern
> ________________________
> 
> 
> -----Original Message-----
> From: Azoff, Justin S [mailto:jazoff at illinois.edu] 
> Sent: Thursday, March 16, 2017 11:08 AM
> To: Andrew Dellana
> Cc: bro at bro.org
> Subject: Re: [Bro] NetControl configuration
> 
> 
> > On Mar 16, 2017, at 11:04 AM, Andrew Dellana <andrew.dellana> wrote:
> > 
> > Yes,  I do want to make the NetControl actions based on what is alerted in Notices. Can all the helpers be stored in one file and only call the helper that is needed?
> 
> Yep, you can do exactly that.
> 
> -- 
> - Justin Azoff
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 


More information about the Bro mailing list