[Bro] Converting a Bro Script to A New Stream
Chris Crawford
christopher.p.crawford at gmail.com
Mon Aug 27 14:49:54 PDT 2012
Looks like the code didn't post.
For the benefit of the mailing list, this is what the script looks like:
export {
redef Notice::mail_dest = "email_address at inet.com";
redef enum Notice::Type += {
Foo,
};
redef Notice::emailed_types += {
Foo,
};
}
redef Notice::policy += {
[$pred(n: Notice::Info) = {
return n$note == Foo;
},
$action = Notice::ACTION_EMAIL]
};
event bro_init()
{
local filter: Log::Filter = [
$name="poison_hits",
$path="poison_hits",
$pred(rec: DNS::Info) = {
if ( rec?$qtype_name && rec?$answers &&
rec$qtype_name == "A" )
{
for ( i in rec$answers )
if ( "1.2.3.4" in rec$answers[i] )
{
NOTICE([$note=Foo,
$msg="Foo detected."]);
return T;
}
}
return F;
},
$include=set("ts", "uid", "id.orig_h", "query")];
Log::add_filter(DNS::LOG, filter);
}
On Mon, Aug 27, 2012 at 5:48 PM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> Thanks, Seth. This works great, and it gives me better insight into
> how to write my own bro scripts.
>
> Now, I feel like my follow up question has an obvious answer, but I'm
> just not seeing it --
>
> Let's say I want to also email the alert, in addition to logging it.
> I've added a notice statement, an attempted to redefine
> Notice::mail_dest and Notice::policy as outlined in the bro docs:
> http://www.bro-ids.org/documentation/notice.html
>
> When I run the script, though, I don't receive an email. I know that
> bro's email is working, because I am receiving hourly reports. What
> am I missing?
>
> Attached the script, but if it doesn't post to the list, I'll follow
> up this post with the code.
>
> -Chris
>
> On Mon, Aug 20, 2012 at 10:42 AM, Seth Hall <seth at icir.org> wrote:
>>
>> On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>>
>>> redef record rec += {
>>> foo: Info &optional;
>>> };
>>
>>> error in ./test.bro, line 22: unknown identifier (Foo::rec)
>>> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
>>
>> I don't think you need that little chunk of code I left above. We do that in many base scripts as a way of hiding protocol specific information within the connection record. There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
>>
>> There is a better way to do this though and it was something we specifically considered in the logging framework. Here's a log filter you can run that will give you the log you want…
>>
>> event bro_init()
>> {
>> local filter: Log::Filter = [
>> $name="only-1.2.3.4",
>> $path="foo",
>> $pred(rec: DNS::Info) = {
>> if ( rec?$qtype_name && rec?$answers &&
>> rec$qtype_name == "A" )
>> {
>> for ( i in rec$answers )
>> if ( "1.2.3.4" in rec$answers[i] )
>> return T;
>> }
>> return F;
>> },
>> $include=set("ts", "uid", "id.orig_h", "query")];
>> Log::add_filter(DNS::LOG, filter);
>> }
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
More information about the Bro
mailing list