[Bro] whitelisting
Vlad Grigorescu
vladg at cmu.edu
Mon Apr 29 11:26:25 PDT 2013
Hi Tracy,
Here's what my whitelisting looks like in Bro 2.1:
> # In my local.bro:
>
> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4, # Google example
> 1.2.3.4 # Another example
> };
>
> redef Notice::policy += {
> [$action = Notice::ACTION_EMAIL,
> $pred(n: Notice::Info) = { return n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist); } ]
> };
It's a bit clunky, but it works. The n?$src clause is used to test whether the src field exists. The Bro Workshop has some great resources for learning about notice handling[1].
Just as a preview, this got cleaned up a bit for the upcoming Bro 2.2:
> const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4 };
>
> hook Notice::policy(n: Notice::Info) &priority=10
> {
> if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
> {
> add n$actions[Notice::ACTION_EMAIL];
> }
>
> }
The new notation might not look like a big benefit in this short example, but it comes in handy as your notice handling becomes more complex.
Hope this helps,
--Vlad
[1] - Exercise 3 at: <http://bro.org/bro-workshop-2011/index.html>.
On Apr 29, 2013, at 6:33 AM, Tracy Reed <treed at ultraviolet.org> wrote:
> Hello all,
>
> I am running Bro 2.1 in Security Onion 12.04 and I am very happy with it. This
> level of detail into what is happening on the network is just amazing! I'm
> beginning to wonder how I ever did without it for so long.
>
> I have an ssh that happens every 5 minutes which causes a lot of noise.
>
> I've gone through all of the docs on bro.org and done some googling but can't
> seem to figure out how to whitelist certain connections so they will not
> constantly appear in the bro alarm summaries. I did find this, which contains
> an example for watching ssh to particular hosts which seems related to what I
> am trying to do:
>
> http://www.bro.org/sphinx/quickstart.html#deployment-customization
>
> But what I want is somewhat the opposite: I want to ignore/whitelist
> connections to certain hosts, preferably from certain IP addresses.
>
> Can anyone suggest how this would be done?
>
> And while I'm writing (and related to another example in the above URL) I get
> alarms about SSL certs. I would like to add our in-house CA to the list of
> accepted certs. How can I do this?
>
> Thanks for a great tool!
>
> --
> Tracy Reed
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130429/8227e54a/attachment.bin
More information about the Bro
mailing list