[Bro] Bro Scripting Question
Seth Hall
seth at icir.org
Fri Oct 14 06:40:58 PDT 2011
On Oct 13, 2011, at 5:38 PM, William Seemann wrote:
> From what I can gather is seems like the new_connection event would be
> an obvious place to perform my checks since it is called for inbound and
> outbound connections. Does this sound like the correct approach? Also,
> is there a simple way to determine what service(s) a host is running
> (smtp, ssh, etc)?
There is a script in the next release that is a variant on what you are looking to do. I even went back and fixed it recently since it was pretty badly broken.
Clone our git repository[1] and look at the script: scripts/policy/protocols/conn/known-services.bro [2]
1. http://www.bro-ids.org/documentation/quickstart.html#compiling-bro-source-code
2. http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/policy/protocols/conn/known-services.bro
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list