[Bro] script working from cmd line but not from local.bro
Justin Azoff
JAzoff at albany.edu
Fri Jan 3 09:40:27 PST 2014
On Fri, Jan 03, 2014 at 02:29:34PM +0000, Kellogg, Brian D (OLN) wrote:
> susTx.bro is the simplified version of the script that works.
>
> trackOutTx.bro is the one that doesn't.
First thing to do would be to check the reporter.log for errors.
For performance/clarity reasons you should change this:
for (x in psubs) {
if (c$id$orig_h in psubs[x]) {
# check to see if dest ip is not an internal IP
for (y in psubs) {
if (c$id$resp_h in psubs[y]) {
notFound = F;
break;
}
}
# dest IP was not an internal IP so lets do this
to something like
# check to see if orig IP is an internal IP
if(!Site::is_local_addr(c$id$orig_h))
return;
# check to see if dest ip is not an internal IP
if(Site::is_local_addr(c$id$resp_h))
return;
or Site::is_private_addr, but you probably want is_local_addr
Bro natively supports sets of addresses so you don't need to loop.
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list