[Bro] Event Suppression

Mon Dec 3 15:03:27 PST 2012

I'd like to tell bro to tell me about a certain event, but then suppress
itself for a while.

I am running bro version 2.1.

I think I'm on the right track, but I'm not getting the results I expect.

Here's my script:

<script>
export {
        redef Notice::mail_dest = "me at me.com";

        redef enum Notice::Type += {
                DNS_SERV_FAIL,
        };
}

event bro_init()
        {
        local filter: Log::Filter = [
                $name="dns_serv_fail",
                $path="dns_serv_fail",
                $pred(rec: DNS::Info) = {
                        if ( rec?$rcode_name && rec$rcode_name ==
/SERVFAIL/ && rec?$query) {
                                NOTICE([$note=DNS_SERV_FAIL,
$msg=fmt("Check out %s. It failed to resolve%s.", rec$id$orig_h,
rec$query), $suppress_for=10sec, $identifier=cat(rec$query)]);
                                return T;
                        }
                        else { return F; }
                },
                $include=set("ts", "uid", "id.orig_h", "query",
"rcode_name")];
        Log::add_filter(DNS::LOG, filter);
        }
</script>

I expect that after seeing a certain DNS query in my log, there should be,
at a minimum, a 10 second delay until the next entry.

However, when I visit a few known domains that cause a DNS SERVFAIL,
there's no evidence that there was any suppression:

<log>
2012-12-03T17:50:17-0500        VwaSrYrTxi      10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:17-0500        UqKgxpLZXdl     10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:38-0500        RYIqIhSukA3     10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:35-0500        mUI17wg5yTc     10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:38-0500        KemCuIc90gg     10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:29-0500        8lhNeEBFhpk     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:30-0500        OIaKdzZRoVg     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:34-0500        Z7dzjrZq2hg     10.10.10.1    foo.org
SERVFAIL
2012-12-03T17:50:43-0500        8xWwzjhwtJ3     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:44-0500        0wgsg6dNt75     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:45-0500        MLQiHZEsHFg     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:47-0500        ebViJIKgTsa     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:55-0500        6rmI6q4oc5c     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:50:56-0500        rJJziyz3Snk     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:51:07-0500        OVppLHtXjPf     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:51:08-0500        2B20RG46gtl     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:51:19-0500        1OSfSKiNIL2     10.10.10.1    bar.com
SERVFAIL
2012-12-03T17:51:20-0500        LK7pwe5inc1     10.10.10.1    bar.com
SERVFAIL
</log>

Any tips on what I'm doing wrong?

-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/410ea8ec/attachment.html 