[Bro] Input to quarantine system
Justin Azoff
JAzoff at albany.edu
Thu Oct 18 12:36:56 PDT 2012
On Thu, Oct 18, 2012 at 01:18:38PM -0600, Tyler T. Schoenke wrote:
> Hi All,
>
> We are rewriting a helper service for due to internal changes in our
> network security environment. We currently send Bro alarms via email to
> our Request Tracker (RT) database, and call the old helper to parse the
> email, and gather user information so we can quarantine infected
> machines. That works decent, but I was wondering if there is a better
> way to do this. Perhaps some method that is easier to parse. We need
> to feed some XML into an API for our Network Access Control.
>
> We primarily need IP, timestamp, and a short description of the alarm.
> Right now, timestamp isn't included in the emailed alarms. Is there a
> better way to send alarms in an easily parsable format? Is there an
> easy way to bulk include timestamp in all alarms?
>
> Thanks,
>
> Tyler
I use execute_with_notice for this in 1.5.. it was disabled in 2.0
because the notice_tags function is incomplete. I patched it a bit to
get it to work again but it needs to be finished..
I'm attaching the patch I had made.. I think it still works :-)
execute_with_notice is pretty easy to use... you just device a new
Notice::Action and hook things up to it. see here for example
https://github.com/JustinAzoff/bro_scripts/blob/2.0/ipblocker.bro
the script you call just needs to getenv BRO_ARG_MSG BRO_ARG_SUB etc
--
-- Justin Azoff
-- Network Security & Performance Analyst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: execute_with_notice.patch
Type: text/x-diff
Size: 1513 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121018/824e8adb/attachment.bin
More information about the Bro
mailing list