[Bro] Quick Notice question
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Fri Jan 24 08:48:40 PST 2014
I've added a little more smarts to the script as I become more familiar with bro scripting. I'm simply amazed at the possibilities of Bro; thank you to those who have and continue to develop this awesome tool. I wish I had run across it five years ago. Attached is the current iteration. I'm trying to keep track of and alert on hosts that have multiple large upload events in a given time and any destination hosts that have seen multiple uploads over a given time. To disable the mail alerts just comment out the below. If any of my inline comments are unclear yell at me.
#
# Send email if Very_Large_Outgoing_Tx notice type is generated
#
hook Notice::policy(n: Notice::Info)
{
if (n$note == Very_Large_Outgoing_Tx || n$note == Multiple_Large_Outgoing_Tx)
add n$actions[Notice::ACTION_EMAIL];
}
Thank you,
Brian Kellogg
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of James Lay
Sent: Friday, January 24, 2014 11:24 AM
To: Bro
Subject: [Bro] Quick Notice question
All,
So I was intrigued with the largeTx script. As I'm not advanced with bro's scripting, I'm trying to change this to just notice instead of
email:
#
# Define constants
# Define script and global variables
#
redef enum Notice::Type += { # add custom notice
types
Large_Outgoing_Tx,
Very_Large_Outgoing_Tx,
};
const maxTx = 52428800; # single conn Tx bytes
over which we want to alert on immediately
const recordTx = 1024000; # destination hosts to
record if over this many bytes
#
# Send email if Very_Large_Outgoing_Tx
#
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Very_Large_Outgoing_Tx )
add n$actions[Notice::ACTION_EMAIL];
}
#
# Alert on potential compromised internal hosts
#
event connection_state_remove(c: connection)
{
if (c$orig$size > recordTx)
{
# check to see if orig IP is an internal IP
if(!Site::is_local_addr(c$id$orig_h))
return;
# check to see if dest ip is not an internal IP
if(Site::is_local_addr(c$id$resp_h))
return;
if (c$orig$size > maxTx)
{
NOTICE([$note=Very_Large_Outgoing_Tx,
$msg=fmt("Orig transmitted %d bytes to resp. Duration %s sec.
Connection UID %s.", c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
}
else
{
NOTICE([$note=Large_Outgoing_Tx, $msg=fmt("Orig
transmitted %d bytes to resp. Duration %s sec. Connection UID %s.",
c$orig$num_bytes_ip, c$duration, c$uid), $conn=c]);
}
}
}
Any assistance would be great..and thanks to the OP for this..it's a
great idea.
James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: largeTx.bro
Type: application/octet-stream
Size: 4268 bytes
Desc: largeTx.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140124/93e36818/attachment.obj
More information about the Bro
mailing list