[Bro] Newbie policy question
Chris Alexander
chris at moose.ca
Wed Apr 26 09:05:23 PDT 2006
Thank you both very much!
I had a feeling there was something I wasn't seeing in the forest for all
the trees in my way. I've got something that works now.
For the other newbies that may stumble across this thread in the archives
this generates useful (??) output to the log files with Bro v1.0:
#----------------- Start test code (example.bro)
@load bro.init
@load brolite
@load conn
#
# Modify these values for your site
#
const web_servers = { moose.ca, internel.moose.ca, };
const mail_servers = { mail.moose.ca, mailgate.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( service !in allow_services ) {
NOTICE([$note=SensitiveConnection, $conn=c,
$msg=fmt("hot: %s", full_id_string(c))]);
}
}
#---------------- EOF
To generate "offline" data to play with do something like:
# tcpdump -i bge0 -w ~chris/traces/smtp.trace -c 100000000 port smtp &
Then to run the script against this captured trace file once it has
captured all the data:
# bro -r ~chris/traces/smtp.trace ./site/example.bro
Hope this helps someone in the future. Maybe quick start guide or user man
could be updated with something more fleshed out along these lines for the
next revision? Just an idea. I'd be happy to provide text if required.
Onward ho, time to stumble in the fog now that the sun has risen.
Thanks again.
--
http://moose.ca
More information about the Bro
mailing list