[Bro] Newbie policy question
Robin Sommer
robin at icir.org
Wed Apr 26 08:09:19 PDT 2006
On Wed, Apr 26, 2006 at 08:52 -0400, Chris Alexander wrote:
> redef allow_services_to: set[addr, port] += {
> [mail_servers, smtp],
> [web_servers, http],
> };
>
> if ( service !in allow_services ) NOTICE ($note=SensitiveConnection,
> $conn=c,]); #### This is the problem line. ####
The problem here is that the "if..." is not inside an event handler.
The user manual might be a bit confusing here: this code is just an
excerpt of how to make use of the allow_services table but it does
not work on its own. Take a look at the head of the function
check_hot() in hot.bro to see how this works in larger context.
(check_hot() is in turn called from various event handlers such as
connection_established() in conn.bro).
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list