[Bro] Converting a Bro Script to A New Stream
Chris Crawford
christopher.p.crawford at gmail.com
Mon Aug 27 14:48:02 PDT 2012
Thanks, Seth. This works great, and it gives me better insight into
how to write my own bro scripts.
Now, I feel like my follow up question has an obvious answer, but I'm
just not seeing it --
Let's say I want to also email the alert, in addition to logging it.
I've added a notice statement, an attempted to redefine
Notice::mail_dest and Notice::policy as outlined in the bro docs:
http://www.bro-ids.org/documentation/notice.html
When I run the script, though, I don't receive an email. I know that
bro's email is working, because I am receiving hourly reports. What
am I missing?
Attached the script, but if it doesn't post to the list, I'll follow
up this post with the code.
-Chris
On Mon, Aug 20, 2012 at 10:42 AM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>
>> redef record rec += {
>> foo: Info &optional;
>> };
>
>> error in ./test.bro, line 22: unknown identifier (Foo::rec)
>> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
>
> I don't think you need that little chunk of code I left above. We do that in many base scripts as a way of hiding protocol specific information within the connection record. There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
>
> There is a better way to do this though and it was something we specifically considered in the logging framework. Here's a log filter you can run that will give you the log you want…
>
> event bro_init()
> {
> local filter: Log::Filter = [
> $name="only-1.2.3.4",
> $path="foo",
> $pred(rec: DNS::Info) = {
> if ( rec?$qtype_name && rec?$answers &&
> rec$qtype_name == "A" )
> {
> for ( i in rec$answers )
> if ( "1.2.3.4" in rec$answers[i] )
> return T;
> }
> return F;
> },
> $include=set("ts", "uid", "id.orig_h", "query")];
> Log::add_filter(DNS::LOG, filter);
> }
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
-------------- next part --------------
export {
redef Notice::mail_dest = "email_address at inet.com";
redef enum Notice::Type += {
Foo,
};
redef Notice::emailed_types += {
Foo,
};
}
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return n$note == Foo;
},
$action = Notice::ACTION_EMAIL]
};
event bro_init()
{
local filter: Log::Filter = [
$name="poison_hits",
$path="poison_hits",
$pred(rec: DNS::Info) = {
if ( rec?$qtype_name && rec?$answers && rec$qtype_name == "A" )
{
for ( i in rec$answers )
if ( "1.2.3.4" in rec$answers[i] )
{
NOTICE([$note=Foo, $msg="Foo detected."]);
return T;
}
}
return F;
},
$include=set("ts", "uid", "id.orig_h", "query")];
Log::add_filter(DNS::LOG, filter);
}
More information about the Bro
mailing list