[Bro] Newbie policy question
Chris Alexander
chris at moose.ca
Wed Apr 26 05:52:42 PDT 2006
I'm a newbie to Bro and have been reading up and playing the last several
days.
In trying to get an example from the user manual to work I'm not having
much luck.
It's probably something obvious but...
I modified the example on page 40-41 of the User Manual to suit our site.
Here is the policy file (example.bro):
#-----------------
@load bro.init
@load brolite
const web_servers = { moose.ca, };
const mail_servers = { mail.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
if ( service !in allow_services ) NOTICE ($note=SensitiveConnection, $conn=c,]); #### This is the problem line. ####
#-----------------
Running on the cmd line leads to:
root at tester<254>/usr/local/bro # bro -r ~chris/traces/smtp ./site/example.bro
./site/example.bro, line 12: error: unknown identifier service, at or near "service"
Did a grep through $BROHOME/policy/* but couldn't find anything obvious to
load to declare "service" correctly.
What little "tidbit" am I missing?
Is there a repository of really rudimentary policy files somewhere?
TIA
--
http://moose.ca
More information about the Bro
mailing list