[Bro] creating bro scripts
John Babio
jbabio at po-box.esu.edu
Wed Aug 14 08:07:07 PDT 2013
Thanks Anthony,
Here is what I have so far. How do I create a notice out of it?
event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
{
if ( c$dns$qtype == PTR )
return;
}
From: anthony kasza <anthony.kasza at gmail.com<mailto:anthony.kasza at gmail.com>>
Date: Tuesday, August 13, 2013 7:42 PM
To: John Babio <jbabio at po-box.esu.edu<mailto:jbabio at po-box.esu.edu>>
Subject: Re: [Bro] creating bro scripts
Determine the event you want to act on (sounds like you want dns_request) and write a code block for it. Put that into a file and call it when you run Bro or load the file in the local.bro script.
Check out Liam Randall's fire scripts on github. They print to screen or count when an event occurs.
On Aug 13, 2013 4:32 PM, "John Babio" <jbabio at po-box.esu.edu<mailto:jbabio at po-box.esu.edu>> wrote:
I wanted to start working on something to get aquainted with the bro programming. I figured DNS might be a good start. It seems to be the way I learn the best and I learned python this way. My goals are maybe create something simple that displays a notice for a particular query type, PTR, NS, MX etc.
Where is there a good example of how I go about this? Inside of policy/protocols/dns ?
Once I create this I can call it from local.bro correct?
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list