[Bro] Converting a Bro Script to A New Stream

Chris Crawford christopher.p.crawford at gmail.com
Tue Aug 28 08:55:32 PDT 2012 

One additional note.  Foo is showing up in my notice.log:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	policy_items	suppress_for	dropped	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude	metric_index.host	metric_index.str	metric_index.network
#types	time	string	addr	port	addr	port	enum	enum	string	string	addr	addr	port	count	string	table[enum]	table[count]	interval	bool	string	string	string	double	double	addr	string	subnet
1345028672.101773	-	-	-	-	-	-	Foo	Foo
detected.	-	-	-	-	-	bro	Notice::ACTION_LOG,Notice::ACTION_EMAIL	7,6	3600.000000	F	-	-	-	-	-	-	-	-

So, the notice framework seems to be doing something.

-Chris


On Mon, Aug 27, 2012 at 5:49 PM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> Looks like the code didn't post.
>
> For the benefit of the mailing list, this is what the script looks like:
>
> export {
>         redef Notice::mail_dest = "email_address at inet.com";
>
>         redef enum Notice::Type += {
>                 Foo,
>         };
>
>         redef Notice::emailed_types += {
>                 Foo,
>         };
> }
>
>
>
> redef Notice::policy += {
>   [$pred(n: Notice::Info) = {
>      return n$note == Foo;
>    },
>    $action = Notice::ACTION_EMAIL]
>   };
>
> event bro_init()
>         {
>         local filter: Log::Filter = [
>                 $name="poison_hits",
>                 $path="poison_hits",
>                 $pred(rec: DNS::Info) = {
>                         if ( rec?$qtype_name && rec?$answers &&
> rec$qtype_name == "A" )
>                                 {
>                                 for ( i in rec$answers )
>                                         if ( "1.2.3.4" in rec$answers[i] )
>                                                 {
>                                                 NOTICE([$note=Foo,
> $msg="Foo detected."]);
>                                                 return T;
>                                                 }
>                                 }
>                         return F;
>                 },
>                 $include=set("ts", "uid", "id.orig_h", "query")];
>         Log::add_filter(DNS::LOG, filter);
>         }
>
>
> On Mon, Aug 27, 2012 at 5:48 PM, Chris Crawford
> <christopher.p.crawford at gmail.com> wrote:
>> Thanks, Seth.  This works great, and it gives me better insight into
>> how to write my own bro scripts.
>>
>> Now, I feel like my follow up question has an obvious answer, but I'm
>> just not seeing it --
>>
>> Let's say I want to also email the alert, in addition to logging it.
>> I've added a notice statement, an attempted to redefine
>> Notice::mail_dest and Notice::policy as outlined in the bro docs:
>> http://www.bro-ids.org/documentation/notice.html
>>
>> When I run the script, though, I don't receive an email.  I know that
>> bro's email is working, because I am receiving hourly reports.  What
>> am I missing?
>>
>> Attached the script, but if it doesn't post to the list, I'll follow
>> up this post with the code.
>>
>> -Chris
>>
>> On Mon, Aug 20, 2012 at 10:42 AM, Seth Hall <seth at icir.org> wrote:
>>>
>>> On Aug 16, 2012, at 5:32 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>>>
>>>> redef record rec += {
>>>>        foo: Info &optional;
>>>> };
>>>
>>>> error in ./test.bro, line 22: unknown identifier (Foo::rec)
>>>> error in ./test.bro, line 35 and ./test.bro, line 39: already defined (Foo::rec)
>>>
>>> I don't think you need that little chunk of code I left above.  We do that in many base scripts as a way of hiding protocol specific information within the connection record.  There is no existing record type named "rec" though and it doesn't look like you need to hide this information anywhere since you are deriving all of your log directly from data in the DNS::log_dns event.
>>>
>>> There is a better way to do this though and it was something we specifically considered in the logging framework.  Here's a log filter you can run that will give you the log you want…
>>>
>>> event bro_init()
>>>         {
>>>         local filter: Log::Filter = [
>>>                 $name="only-1.2.3.4",
>>>                 $path="foo",
>>>                 $pred(rec: DNS::Info) = {
>>>                         if ( rec?$qtype_name && rec?$answers &&
>>>                              rec$qtype_name == "A" )
>>>                                 {
>>>                                 for ( i in rec$answers )
>>>                                         if ( "1.2.3.4" in rec$answers[i] )
>>>                                                 return T;
>>>                                 }
>>>                         return F;
>>>                 },
>>>                 $include=set("ts", "uid", "id.orig_h", "query")];
>>>         Log::add_filter(DNS::LOG, filter);
>>>         }
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro-ids.org/
>>>

More information about the Bro mailing list