[Bro] BRO hourly summary connectivity reports - geoip?
Konrad Weglowski
knrd at rogers.com
Wed Nov 13 16:01:23 PST 2013
Thanks Justin.
I am a newbie to BRO. Where would I put that code? Would that be a separate
script which would need to be loaded in local.bro?
-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu]
Sent: November-11-13 10:21 AM
To: Konrad Weglowski
Cc: bro at bro.org
Subject: Re: [Bro] BRO hourly summary connectivity reports - geoip?
On Mon, Nov 11, 2013 at 09:57:16AM -0500, Konrad Weglowski wrote:
> Hello,
>
> Is there a way to customize/add items that are e-mailed as a part of
> the BRO hourly connection summary reports? I would like to add geoip
> lookups for example?
frameworks/notice/actions/add-geodata.bro does this.
you just need to do something like:
redef Notice::lookup_location_types += {
HTTP::MD5,
HTTP::Incorrect_File_Type,
HTTP::IncorrectFileTypeBadHost,
HTTP::Sensitive_URI,
HTTP::ResetConnection,
};
or write a notice hook that adds ACTION_ADD_GEODATA to all notices.
which means taking this:
hook policy(n: Notice::Info) &priority=10 {
if ( n$note in Notice::lookup_location_types )
add n$actions[ACTION_ADD_GEODATA]; }
and adding one of your own like
hook policy(n: Notice::Info) &priority=10 {
add n$actions[ACTION_ADD_GEODATA];
}
--
-- Justin Azoff
-- Network Security & Performance Analyst
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6832 - Release Date: 11/13/13
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3629/6832 - Release Date: 11/13/13
More information about the Bro
mailing list