[Bro] vector array of string used as a pattern for matching

Fri Feb 28 06:47:14 PST 2014

Wouldn't this be a good use case for a Bloom filter?

http://www.bro.org/sphinx/scripts/base/bif/bloom-filter.bif.html

aaron

On 02/27/2014 02:58 PM, Kellogg, Brian D (OLN) wrote:
> Thanks, I thought of that as well.  I was trying to not use a loop if at
> all possible.
>
> Thanks,
>
> Brian
>
> *From:*anthony kasza [mailto:anthony.kasza at gmail.com]
> *Sent:* Thursday, February 27, 2014 2:56 PM
> *To:* Kellogg, Brian D (OLN)
> *Cc:* bro at bro.org
> *Subject:* Re: [Bro] vector array of string used as a pattern for matching
>
> You could use a set of patterns.
>
> foo: set[pattern] = YourPatterns
> for (each in foo)
> {
>    if (each in DomainInQuestion)
>      DoSomething
> }
>
> -AK
>
> On Feb 27, 2014 11:44 AM, "Kellogg, Brian D (OLN)"
> <bkellogg at dresser-rand.com <mailto:bkellogg at dresser-rand.com>> wrote:
>
> I’m trying to create an array of domain names that I want to use as a
> pattern to search on.  I know the below is wrong; just looking for
> someone to educate me on how to do this in a Bro script if it can be
> done.  thanks
>
> global ignoreDomains: vector of string = vector("webex.com
> <http://webex.com>", "pwc.com <http://pwc.com>", "messagelabs.com
> <http://messagelabs.com>","akamaitechnologies.com
> <http://akamaitechnologies.com>");
>
>                  when (local dst = lookup_addr(c$id$resp_h))
>
>                          {
>
>                          if (/ignoreDomains$/ in dst)
>
>                                  return;
>
>                          }
>
> Thank you,
>
> *Brian Kellogg*
>
> Security Analyst; IT Governance, Risk, and Compliance
>
> 500 Paul Clark Drive, Olean,  NY 14760
>
> T: (716) 375-3186 <tel:%28716%29%20375-3186> | F: (716) 375-3557
> <tel:%28716%29%20375-3557>
>
> www.dresser-rand.com <http://www.dresser-rand..com/>NYSE: DRC
>
> Description: Description: Description: Description: Description:
> Description: d-r_wordraster3R-hi
>
> Bringing energy and the environment into harmony^®
>
> *IMPORTANT NOTICE:
> This email may be confidential, may be legally privileged, and is for
> the intended recipient only. Unauthorized access, disclosure, copying,
> distribution, or reliance on any of it by anyone else is prohibited and
> may be a criminal offense. Please delete if obtained in error and email
> confirmation to the sender.*
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>