[Bro] Stupid scripting question: SSH password detection limited to local networks
Mike Patterson
mike.patterson at uwaterloo.ca
Tue Jan 28 07:08:40 PST 2014
Following directions, I did:
----
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing )
add n$actions[Notice::ACTION_EMAIL];
}
----
and since we’ve got a very great many SSH servers exposed, I got a very great number of emails. Since I care more about outbound traffic, I did:
----
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && Site::is_local_addr(n$id$orig_h) )
add n$actions[Notice::ACTION_EMAIL];
}
----
and now I get no mails at all (despite the fact I know we had at least a couple outbound attacks since I set this).
I'd set a few networks in $PREFIX/bro/etc/networks.cfg, and “config” from broctl says:
localnetscfg = /usr/local/bro-2.2/etc/networks.cfg
However, if I write a test script:
----
@load base/utils/site
print Site::local_nets;
----
and run “bro test.bro” output is empty unless I first redef Site::local_nets += {}; with my ranges.
Obviously I’m doing something incorrect, but which is the most correct way to fix it? redef local_nets in my local.bro, or have I mistaken the format of the networks.cfg file? It contains:
----
129.97.0.0/16 Waterloo Public IPv4
2620:101:f000::/47 IPv6
----
I’m thinking my problem with the test script is simply that I’m not running it with broctl, although I do run my production instance with same so I’m still back to “why does my revised hook not work as expected?”
Output of the production broctl’s “scripts” command includes, among other things:
/usr/local/bro-2.2/share/bro/base/utils/site.bro
/usr/local/bro-2.2/spool/tmp/check-config-worker-8/local-networks.bro
/usr/local/bro-2.2/spool/tmp/check-config-worker-8/broctl-config.bro
so I believe it’s loading everything it needs.
Mike
More information about the Bro
mailing list