[Bro] vector array of string used as a pattern for matching

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Thu Feb 27 11:58:35 PST 2014 

Thanks, I thought of that as well.  I was trying to not use a loop if at all possible.

Thanks,
Brian

From: anthony kasza [mailto:anthony.kasza at gmail.com]
Sent: Thursday, February 27, 2014 2:56 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] vector array of string used as a pattern for matching


You could use a set of patterns.

foo: set[pattern] = YourPatterns
for (each in foo)
{
  if (each in DomainInQuestion)
    DoSomething
}

-AK
On Feb 27, 2014 11:44 AM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:
I'm trying to create an array of domain names that I want to use as a pattern to search on.  I know the below is wrong; just looking for someone to educate me on how to do this in a Bro script if it can be done.  thanks

global ignoreDomains: vector of string = vector("webex.com<http://webex.com>", "pwc.com<http://pwc.com>", "messagelabs.com<http://messagelabs.com>","akamaitechnologies.com<http://akamaitechnologies.com>");

                when (local dst = lookup_addr(c$id$resp_h))
                        {
                        if (/ignoreDomains$/ in dst)
                                return;
                        }


Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean,  NY 14760
T: (716) 375-3186<tel:%28716%29%20375-3186> | F: (716) 375-3557<tel:%28716%29%20375-3557>
www.dresser-rand.com<http://www.dresser-rand.com/>     NYSE: DRC

[Description: Description: Description: Description: Description: Description: d-r_wordraster3R-hi]
Bringing energy and the environment into harmony(r)
IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the intended recipient only. Unauthorized access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender.


_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140227/b9f374eb/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 2366 bytes
Desc: image001.jpg
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140227/b9f374eb/attachment.jpg

More information about the Bro mailing list