[Bro] Newbie policy question

Brian Tierney bltierney at lbl.gov
Wed Apr 26 08:28:53 PDT 2006 

The manual leaves out a key piece of information: Where to put the
" if ( service !in allow_services ) " line.

This should be in a  connection_established event.

eg:

event connection_established(c: connection)
{
        local id = c$id;
        local service = id$resp_p;
        local inbound = is_local_addr(id$resp_h);

	if ( inbound && service !in allow_services )
		NOTICE [($note=SensitiveConnection, $conn=c,
		$msg=fmt("hot: %s", full_id_string(c)) ]);
}

(note: $msg was missing from the manual. This is needed too.)

see conn.bro for more examples.

Chris Alexander wrote:
> 
> I'm a newbie to Bro and have been reading up and playing the last
> several days.
> 
> In trying to get an example from the user manual to work I'm not having
> much luck.
> 
> It's probably something obvious but...
> 
> I modified the example on page 40-41 of the User Manual to suit our site.
> 
> Here is the policy file (example.bro):
> 
> #-----------------
> 
> @load bro.init
> @load brolite
> 
> const web_servers = { moose.ca, };
> const mail_servers = { mail.moose.ca, };
> 
> redef allow_services_to: set[addr, port] += {
>     [mail_servers, smtp],
>     [web_servers, http],
> };
> 
> if ( service !in allow_services ) NOTICE ($note=SensitiveConnection,
> $conn=c,]);   ####  This is the problem line.  ####
> 
> #-----------------
> 
> Running on the cmd line leads to:
> 
> root at tester<254>/usr/local/bro # bro -r ~chris/traces/smtp
> ./site/example.bro
> ./site/example.bro, line 12: error: unknown identifier service, at or
> near "service"
> 
> Did a grep through $BROHOME/policy/* but couldn't find anything obvious
> to load to declare "service" correctly.
> 
> What little "tidbit" am I missing?
> 
> Is there a repository of really rudimentary policy files somewhere?
> 
> TIA
> 
> 

-- 
------------------------------------------------------------------------
  Brian L. Tierney,   Lawrence Berkeley National Laboratory (LBNL)
  1 Cyclotron Rd.  MS: 50B-2239,  Berkeley, CA  94720
  tel: 510-486-7381    fax: 510-495-2998   efax: 603-719-5047
  bltierney at lbl.gov   http://www-didc.lbl.gov/~tierney
------------------------------------------------------------------------

More information about the Bro mailing list