[Bro] software/version-changes.bro comparison between the two versions.

fatema bannatwala fatema.bannatwala at gmail.com
Tue Feb 21 09:50:32 PST 2017

I was going through the version-changes.bro script, thinking of adding some
to track the version changes, but realized that there is no comparison done
between the
old version tracked and the version detected in "rec: Info" of log_software

Hence, was thinking to add a condition to check it before the notice is
raised for the version
change, like following:
( or I might be missing something regarding the functionality of the
script. :/)

event log_software(rec: Info)
local ts = tracked[rec$host];

if ( rec$name in ts )
local old = ts[rec$name];

# Is it a potentially interesting version change?
if ( rec$name in interesting_version_changes )

  *if (software_fmt_version(old$version) !=
             { local msg = fmt("%.6f %s switched from %s to %s (%s)",
network_time(), rec$software_type,
software_fmt(rec), rec$software_type);
       NOTICE([$note=Software_Version_Change, $src=rec$host,
       $msg=msg, $sub=software_fmt(rec)]);

Any thoughts? anybody using this script to track software changes?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170221/24545fb3/attachment-0001.html 

More information about the Bro mailing list