[Bro] How does @prefixes = local work again?
Randolph Reitz
rreitz at fnal.gov
Mon Aug 20 08:09:24 PDT 2007
Feeling empowered by having attended the recent BRO workshop, I
decided I wanted to make a change to the scan.bro policy script. I
recall that I heard that I should not change any scripts in the /usr/
local/bro/policy directory. Rather I should move the desired script
to /usr/local/bro/site and change the name to local.scan.bro for
example. Having done this, when I start bro I get ...
[root at rhyolite ~]# /etc/init.d/bro start
bro.rc: Running as non-root user root
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.scan.bro, line 1: error: can't open scan
... FAILED
Hummm, looking at permissions in /usr/local/bro/site I see ...
[root at rhyolite rreitz]# ls -l /usr/local/bro/site
total 452
-rw-r--r-- 1 root root 6 Apr 17 00:55 incident_counter
-rw-r--r-- 1 root root 13639 Aug 20 09:37 local.scan.bro
-rw-r--r-- 1 root root 464 Jul 24 00:42 local.site.bro
-rw-r--r-- 1 root root 2026 Aug 14 14:49 rhyolite.fnal.gov.bro
-rw-r--r-- 1 root root 424977 Aug 6 09:47 signatures.sig
-rw-r--r-- 1 root root 926 Jul 25 11:06 watchdarknets.bro
The script /usr/local/bro/site/local.scan.bro begins with ...
[root at rhyolite ~]# head /usr/local/bro/site/local.scan.bro
# $Id: scan.bro 4613 2007-07-06 04:16:51Z vern $
@load notice
@load port-name
@load hot
@load trw-impl
redef enum Notice += {
AddressDropped, # connectivity w/ given address has
been dropped
AddressDropIgnored, # a request to drop connectivity has
been ignored
One more question. In scan.bro I want to call a script that will
create an event in Fermilab's issue tracker whenever a scanner is
found. I used the drop_connectivity_script variable to point to my
script. Will the system() call use the existing $PATH to find the
script? Should the script be in /usr/local/bro/scripts directory?
I'm using Bro Version 1.3.2. My bro start policy looks like this...
[root at rhyolite ~]# cat /usr/local/bro/site/rhyolite.fnal.gov.bro
# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $
# This file is intended for host-specific Bro policy.
# What is host-specific? It can be anything that is not the default
# after installation. This is the place to make tweaks and changes
# to modify policy to suit your network environment and preferences.
# The following causes Bro to load local.XXX.bro anytime you
# "@load XXX" (along with first loading XXX.bro).
#
@prefixes = local
#@load brolite # root policy which loads all other default policies.
#
# brolite is too much for this system to handle, copy initial part
# of brolite policy down to scan.
#
# General policy - these scripts are more infrastructural than service
# oriented, so in general avoid changing anything here.
@load site # defines local and neighbor networks from static config
@load tcp # initialize BPF filter for SYN/FIN/RST TCP packets
@load weird # initialize generic mechanism for unusual events
@load conn # access and record connection events
@load hot # defines certain forms of sensitive access
@load frag # process TCP fragments
@load print-resources # on exit, print resource usage information
# Scan detection policy.
@load scan # generic scan detection mechanism
# Do drop scanning addresses
redef can_drop_connectivity = T;
redef drop_connectivity_script = "tissue-event";
@load trw # additional, more sensitive scan detection
#@load drop # include if installation has ability to drop hostile
remotes
# now add selected policies
@load notice
@load login
@load irc
@load irc-bot
# Record system statistics to the notice file
@load stats
# File generated by the network script for dynamic configuration of
# the local network subnets.
#@load site
# Make any changes to policy starting HERE:
# To run signatures, uncomment the following line.
#@load brolite-sigs
@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif
Thanks,
Randy
More information about the Bro
mailing list