[Bro] Quick Notice question
James Lay
jlay at slave-tothe-box.net
Fri Jan 24 08:24:11 PST 2014
All,
So I was intrigued with the largeTx script. As I'm not advanced with
bro's scripting, I'm trying to change this to just notice instead of
email:
#
# Define constants
# Define script and global variables
#
redef enum Notice::Type += { # add custom notice
types
Large_Outgoing_Tx,
Very_Large_Outgoing_Tx,
};
const maxTx = 52428800; # single conn Tx bytes
over which we want to alert on immediately
const recordTx = 1024000; # destination hosts to
record if over this many bytes
#
# Send email if Very_Large_Outgoing_Tx
#
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Very_Large_Outgoing_Tx )
add n$actions[Notice::ACTION_EMAIL];
}
#
# Alert on potential compromised internal hosts
#
event connection_state_remove(c: connection)
{
if (c$orig$size > recordTx)
{
# check to see if orig IP is an internal IP
if(!Site::is_local_addr(c$id$orig_h))
return;
# check to see if dest ip is not an internal IP
if(Site::is_local_addr(c$id$resp_h))
return;
if (c$orig$size > maxTx)
{
NOTICE([$note=Very_Large_Outgoing_Tx,
$msg=fmt("Orig transmitted %d bytes to resp. Duration %s sec.
Connection UID %s.", c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
}
else
{
NOTICE([$note=Large_Outgoing_Tx, $msg=fmt("Orig
transmitted %d bytes to resp. Duration %s sec. Connection UID %s.",
c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
}
}
}
Any assistance would be great..and thanks to the OP for this..it's a
great idea.
James
More information about the Bro
mailing list