[Bro] whitelisting

Vlad Grigorescu vladg at cmu.edu
Mon Apr 29 11:26:25 PDT 2013 

Hi Tracy,

Here's what my whitelisting looks like in Bro 2.1:

> # In my local.bro:
> 
> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4, # Google example
>                                            1.2.3.4           # Another example
>                                          };
> 
> redef Notice::policy += {
>       [$action = Notice::ACTION_EMAIL,
>        $pred(n: Notice::Info) = { return n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist); } ]
> };

It's a bit clunky, but it works. The n?$src clause is used to test whether the src field exists. The Bro Workshop has some great resources for learning about notice handling[1].

Just as a preview, this got cleaned up a bit for the upcoming Bro 2.2:

> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4 };
> 
> hook Notice::policy(n: Notice::Info) &priority=10
>       {
>       if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
>             {
>             add n$actions[Notice::ACTION_EMAIL];
>             }
> 
>       }

The new notation might not look like a big benefit in this short example, but it comes in handy as your notice handling becomes more complex.

Hope this helps,

  --Vlad

[1] - Exercise 3 at: <http://bro.org/bro-workshop-2011/index.html>.

On Apr 29, 2013, at 6:33 AM, Tracy Reed <treed at ultraviolet.org> wrote:

> Hello all,
> 
> I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
> level of detail into what is happening on the network is just amazing! I'm
> beginning to wonder how I ever did without it for so long.
> 
> I have an ssh that happens every 5 minutes which causes a lot of noise. 
> 
> I've gone through all of the docs on bro.org and done some googling but can't
> seem to figure out how to whitelist certain connections so they will not
> constantly appear in the bro alarm summaries. I did find this, which contains
> an example for watching ssh to particular hosts which seems related to what I
> am trying to do:
> 
> http://www.bro.org/sphinx/quickstart.html#deployment-customization
> 
> But what I want is somewhat the opposite: I want to ignore/whitelist
> connections to certain hosts, preferably from certain IP addresses.
> 
> Can anyone suggest how this would be done?
> 
> And while I'm writing (and related to another example in the above URL) I get
> alarms about SSL certs. I would like to add our in-house CA to the list of
> accepted certs. How can I do this?
> 
> Thanks for a great tool!
> 
> -- 
> Tracy Reed
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130429/8227e54a/attachment.bin

More information about the Bro mailing list