[Bro] creating bro scripts

anthony kasza anthony.kasza at gmail.com
Wed Aug 14 08:20:13 PDT 2013


See the 'raising notices' section here
http://bro.org/sphinx/notice.html
On Aug 14, 2013 8:07 AM, "John Babio" <jbabio at po-box.esu.edu> wrote:

> Thanks Anthony,
> Here is what I have so far. How do I create a notice out of it?
>
> event dns_request(c: connection, msg: dns_msg, query: string, qtype:
> count, qclass: count) &priority=5
>         {
>         if ( c$dns$qtype == PTR )
>                 return;
> }
>
> From: anthony kasza <anthony.kasza at gmail.com<mailto:
> anthony.kasza at gmail.com>>
> Date: Tuesday, August 13, 2013 7:42 PM
> To: John Babio <jbabio at po-box.esu.edu<mailto:jbabio at po-box.esu.edu>>
> Subject: Re: [Bro] creating bro scripts
>
>
> Determine the event you want to act on (sounds like you want dns_request)
> and write a code block for it. Put that into a file and call it when you
> run Bro or load the file in the local.bro script.
> Check out Liam Randall's fire scripts on github. They print to screen or
> count when an event occurs.
>
> On Aug 13, 2013 4:32 PM, "John Babio" <jbabio at po-box.esu.edu<mailto:
> jbabio at po-box.esu.edu>> wrote:
> I wanted to start working on something to get aquainted with the bro
> programming. I figured DNS might be a good start. It seems to be the way I
> learn the best and I learned python this way. My goals are maybe create
> something simple that displays a notice for a particular query type, PTR,
> NS, MX etc.
>
> Where is there a good example of how I go about this? Inside of
> policy/protocols/dns ?
> Once I create this I can call it from local.bro correct?
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130814/fd00a61b/attachment.html 


More information about the Bro mailing list