[Bro] Try.Bro.Org Table Creation Inquiry

Azoff, Justin S jazoff at illinois.edu
Wed Mar 8 11:37:30 PST 2017

> On Mar 8, 2017, at 1:59 PM, Philip Romero <promero at cenic.org> wrote:
> All,
> I am trying to test a script to create a table at try.bro.org that I am having some trouble getting to work and was hoping to get some insight as to how to fix the issue. The intention is to create a table that I can read from for some additional monitoring. The testing I am doing is for what I believe is a simple use case, but the long term intention is to have a foundation for which I might create additional monitoring triggers. BTW - I have not gotten to the actual trigger script yet. I am still at the table creation portion of this process.
> The intention of the table is to log "active" scanner IP sources, timestamps, and notes from the notice.log and compare these to the conn.log to trigger if a scanner actually reaches and gets a response from an internal host. I have 2 scripts that independently work on the try.bro.org site, but I am trying to get them to work at the same time. The second script only works if I manually add the file (space delimited) in try.bro.org before I run the script. 
> Ideally I'd like to have the table build live by reading in fields from either the current/notice.log or current/scanners.log I created from the first script, or even native tables created by the core bro environment. When I have these both run at the same time from try.bro.org site, I get an error opening the file source called in the second script being created by the first script. Any pointers or help on this would be greatly appreciated.

It isn't working on try.bro.org because it's running against a pcap and the bro process only runs for a fraction of a second before exiting.  At startup the file doesn't exist yet and the initial read will fail.

This won't work properly on a live cluster though due to issues that only recently got fixed with the input framework.  The next version of bro will re-try input files that couldn't be read at startup.  Previously, the input framework would stop trying after the initial failure.

In any case.. what you are trying to do doesn't actually require the use of files.  You can just add a Notice::policy hook and add the scanner ip directly to the scanners table.

- Justin Azoff

More information about the Bro mailing list