[Bro] script working from cmd line but not from local.bro

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Jan 3 06:29:34 PST 2014


susTx.bro is the simplified version of the script that works.

trackOutTx.bro is the one that doesn't.

Another thing I'm seeing is I cannot find these notices in Elsa once the notice.log has been rotated by SO.  I'm sure I'm just not understanding something as I'm quite new to SO, Bro, and Elsa.  Is there something else I have to do to ensure these notices show up in the Elsa archive?  Is there a delay of a several hours before they show up in Elsa?


Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean,  NY 14760
T: (716) 375-3186 | F: (716) 375-3557

-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: Friday, January 03, 2014 9:08 AM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] script working from cmd line but not from local.bro


On Jan 2, 2014, at 6:13 PM, "Kellogg, Brian D (OLN)" <bkellogg at dresser-rand.com> wrote:

> I have a script I've been writing for a couple weeks that looks at every connection's total bytes.  If the total bytes when the connection is removed from memory is over X bytes then raise a Bro notice.  I have a global variable structure defined to keep track of internal hosts that have uploaded more than X bytes in a connection.

Please post the script so we can review it.

Thanks,
  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: susTx.bro
Type: application/octet-stream
Size: 1253 bytes
Desc: susTx.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140103/19877b54/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trackOutTx.bro
Type: application/octet-stream
Size: 4869 bytes
Desc: trackOutTx.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140103/19877b54/attachment-0001.obj 


More information about the Bro mailing list