[Bro] whitelisting

Brian Little blittle766 at gmail.com
Tue Apr 30 01:52:26 PDT 2013 

Tracy,
To add SSL Certificate Authorities to bro, I used this example:
http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/005333.html

Bro stores its own list of CAs (generated from Mozilla's list) and the
system certificates are ignored.

B Little.


On Mon, Apr 29, 2013 at 7:26 PM, Vlad Grigorescu <vladg at cmu.edu> wrote:

> Hi Tracy,
>
> Here's what my whitelisting looks like in Bro 2.1:
>
> > # In my local.bro:
> >
> > const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4, # Google
> example
> >                                            1.2.3.4           # Another
> example
> >                                          };
> >
> > redef Notice::policy += {
> >       [$action = Notice::ACTION_EMAIL,
> >        $pred(n: Notice::Info) = { return n$note == Scan::Port_Scan &&
> n?$src && !(n$src in external_port_scanners_whitelist); } ]
> > };
>
> It's a bit clunky, but it works. The n?$src clause is used to test whether
> the src field exists. The Bro Workshop has some great resources for
> learning about notice handling[1].
>
> Just as a preview, this got cleaned up a bit for the upcoming Bro 2.2:
>
> > const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4 };
> >
> > hook Notice::policy(n: Notice::Info) &priority=10
> >       {
> >       if ( n$note == Scan::Port_Scan && n?$src && !(n$src in
> external_port_scanners_whitelist) )
> >             {
> >             add n$actions[Notice::ACTION_EMAIL];
> >             }
> >
> >       }
>
> The new notation might not look like a big benefit in this short example,
> but it comes in handy as your notice handling becomes more complex.
>
> Hope this helps,
>
>   --Vlad
>
> [1] - Exercise 3 at: <http://bro.org/bro-workshop-2011/index.html>.
>
> On Apr 29, 2013, at 6:33 AM, Tracy Reed <treed at ultraviolet.org> wrote:
>
> > Hello all,
> >
> > I am running Bro 2.1 in Security Onion 12.04 and I am very happy with
> it. This
> > level of detail into what is happening on the network is just amazing!
> I'm
> > beginning to wonder how I ever did without it for so long.
> >
> > I have an ssh that happens every 5 minutes which causes a lot of noise.
> >
> > I've gone through all of the docs on bro.org and done some googling but
> can't
> > seem to figure out how to whitelist certain connections so they will not
> > constantly appear in the bro alarm summaries. I did find this, which
> contains
> > an example for watching ssh to particular hosts which seems related to
> what I
> > am trying to do:
> >
> > http://www.bro.org/sphinx/quickstart.html#deployment-customization
> >
> > But what I want is somewhat the opposite: I want to ignore/whitelist
> > connections to certain hosts, preferably from certain IP addresses.
> >
> > Can anyone suggest how this would be done?
> >
> > And while I'm writing (and related to another example in the above URL)
> I get
> > alarms about SSL certs. I would like to add our in-house CA to the list
> of
> > accepted certs. How can I do this?
> >
> > Thanks for a great tool!
> >
> > --
> > Tracy Reed
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130430/16b8149d/attachment.html

More information about the Bro mailing list