[Bro] Quick Notice question

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Fri Jan 24 08:48:40 PST 2014


I've added a little more smarts to the script as I become more familiar with bro scripting.  I'm simply amazed at the possibilities of Bro; thank you to those who have and continue to develop this awesome tool.  I wish I had run across it five years ago.  Attached is the current iteration.  I'm trying to keep track of and alert on hosts that have multiple large upload events in a given time and any destination hosts that have seen multiple uploads over a given time.  To disable the mail alerts just comment out the below.  If any of my inline comments are unclear yell at me.

#
# Send email if Very_Large_Outgoing_Tx notice type is generated
#
hook Notice::policy(n: Notice::Info)
    {
    if (n$note == Very_Large_Outgoing_Tx || n$note == Multiple_Large_Outgoing_Tx)
		add n$actions[Notice::ACTION_EMAIL];
    }

Thank you,
Brian Kellogg


-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Friday, January 24, 2014 11:24 AM
To: Bro
Subject: [Bro] Quick Notice question

All,

So I was intrigued with the largeTx script.  As I'm not advanced with bro's scripting, I'm trying to change this to just notice instead of
email:

#
# Define constants
# Define script and global variables
#
         redef enum Notice::Type += {            # add custom notice 
types
                 Large_Outgoing_Tx,
                 Very_Large_Outgoing_Tx,
         };

         const maxTx = 52428800;                 # single conn Tx bytes 
over which we want to alert on immediately
         const recordTx = 1024000;               # destination hosts to 
record if over this many bytes


#
# Send email if Very_Large_Outgoing_Tx
#
hook Notice::policy(n: Notice::Info)
     {
     if ( n$note == Very_Large_Outgoing_Tx )
          add n$actions[Notice::ACTION_EMAIL];
     }


#
# Alert on potential compromised internal hosts
#
event connection_state_remove(c: connection)
         {
         if (c$orig$size > recordTx)
                 {
                 # check to see if orig IP is an internal IP
                 if(!Site::is_local_addr(c$id$orig_h))
                         return;

                 # check to see if dest ip is not an internal IP
                 if(Site::is_local_addr(c$id$resp_h))
                         return;

                 if (c$orig$size > maxTx)
                         {
                         NOTICE([$note=Very_Large_Outgoing_Tx, 
$msg=fmt("Orig transmitted %d bytes to resp.  Duration %s sec.  
Connection UID %s.", c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
                         }
                 else
                         {
                         NOTICE([$note=Large_Outgoing_Tx, $msg=fmt("Orig 
transmitted %d bytes to resp.  Duration %s sec.  Connection UID %s.", 
c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
                         }
                 }
         }

Any assistance would be great..and thanks to the OP for this..it's a 
great idea.

James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: largeTx.bro
Type: application/octet-stream
Size: 4268 bytes
Desc: largeTx.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140124/93e36818/attachment.obj 


More information about the Bro mailing list