[Bro] Detecting Local Hosts
Seth Hall
seth at icir.org
Mon Oct 24 07:36:50 PDT 2011
On Oct 24, 2011, at 1:57 AM, William Seemann wrote:
> Can someone tell me if there is an easy way to detect of a connection is
> being made by a local host rather then an external one? For instance, if
> I have a cluster of machines and an instance of Bro running is there any
> easy way to distinguish connections made by these machines vs. external
> ones? Is maintaining a list of local hosts and performing a check (shown
> below) the only way to accomplish this?
There is a shorthand function for getting this information: is_local_addr. You give it an address and it returns T or F. In the upcoming release it has moved into the Site:: namespace though so it will be Site::is_local_addr (I don't know if you are working with the git master or 1.5.x). Regardless, you still need to be careful and give it the correct address to check. It sounds like this will work for you...
if ( is_local_addr(c$id$orig) )
{
# do something
}
In order for is_local_addr function to work, you need to also be sure you have populated the local_nets variable (Site::local_nets in the repository). Here's an example:
redef local_nets += { 1.2.3.0/24, 4.3.2.0/24 };
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list