[Bro] Input to quarantine system

Justin Azoff JAzoff at albany.edu
Thu Oct 18 12:36:56 PDT 2012


On Thu, Oct 18, 2012 at 01:18:38PM -0600, Tyler T. Schoenke wrote:
> Hi All,
> 
> We are rewriting a helper service for due to internal changes in our
> network security environment.  We currently send Bro alarms via email to
> our Request Tracker (RT) database, and call the old helper to parse the
> email, and gather user information so we can quarantine infected
> machines.   That works decent, but I was wondering if there is a better
> way to do this.  Perhaps some method that is easier to parse.   We need
> to feed some XML into an API for our Network Access Control.
> 
> We primarily need IP, timestamp, and a short description of the alarm.  
> Right now, timestamp isn't included in the emailed alarms.   Is there a
> better way to send alarms in an easily parsable format?  Is there an
> easy way to bulk include timestamp in all alarms?
> 
> Thanks,
> 
> Tyler

I use execute_with_notice for this in 1.5.. it was disabled in 2.0
because the notice_tags function is incomplete.  I patched it a bit to
get it to work again but it needs to be finished..

I'm attaching the patch I had made.. I think it still works :-)

execute_with_notice is pretty easy to use... you just device a new
Notice::Action and hook things up to it.  see here for example

https://github.com/JustinAzoff/bro_scripts/blob/2.0/ipblocker.bro

the script you call just needs to getenv BRO_ARG_MSG BRO_ARG_SUB etc

-- 
-- Justin Azoff
-- Network Security & Performance Analyst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: execute_with_notice.patch
Type: text/x-diff
Size: 1513 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121018/824e8adb/attachment.bin 


More information about the Bro mailing list