[Bro] Quick Notice question

James Lay jlay at slave-tothe-box.net
Fri Jan 24 08:24:11 PST 2014


All,

So I was intrigued with the largeTx script.  As I'm not advanced with 
bro's scripting, I'm trying to change this to just notice instead of 
email:

#
# Define constants
# Define script and global variables
#
         redef enum Notice::Type += {            # add custom notice 
types
                 Large_Outgoing_Tx,
                 Very_Large_Outgoing_Tx,
         };

         const maxTx = 52428800;                 # single conn Tx bytes 
over which we want to alert on immediately
         const recordTx = 1024000;               # destination hosts to 
record if over this many bytes


#
# Send email if Very_Large_Outgoing_Tx
#
hook Notice::policy(n: Notice::Info)
     {
     if ( n$note == Very_Large_Outgoing_Tx )
          add n$actions[Notice::ACTION_EMAIL];
     }


#
# Alert on potential compromised internal hosts
#
event connection_state_remove(c: connection)
         {
         if (c$orig$size > recordTx)
                 {
                 # check to see if orig IP is an internal IP
                 if(!Site::is_local_addr(c$id$orig_h))
                         return;

                 # check to see if dest ip is not an internal IP
                 if(Site::is_local_addr(c$id$resp_h))
                         return;

                 if (c$orig$size > maxTx)
                         {
                         NOTICE([$note=Very_Large_Outgoing_Tx, 
$msg=fmt("Orig transmitted %d bytes to resp.  Duration %s sec.  
Connection UID %s.", c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
                         }
                 else
                         {
                         NOTICE([$note=Large_Outgoing_Tx, $msg=fmt("Orig 
transmitted %d bytes to resp.  Duration %s sec.  Connection UID %s.", 
c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
                         }
                 }
         }

Any assistance would be great..and thanks to the OP for this..it's a 
great idea.

James



More information about the Bro mailing list