[Bro] Clarification needed

Seth Hall seth at icir.org
Fri Sep 19 12:01:03 PDT 2014


On Sep 19, 2014, at 1:29 PM, PeLo <phrackmod at gmail.com> wrote:

> The problem is that bro automatically tries to perform dns lookup on any domain names provided.

I don't tend to use that feature of Bro because I never have a problem that fits it quite right.

> Using a single domain name works well (global restricted_domains = abc.com) but when i try to assign a group of domains at a time (global restriced_domains = { abc.com, 123.net }; or global restricted_domains: set[addr] and using add statement), I get an error which states "Type Clash". I would like to know if there is a way to create a set of hostnames so that I can work on them later. 

I would have to see your code to know exactly what was failing.

> Since domain names are essentially strings, I think it would be nice to have an explicit conversion function to convert from strings to domain names. If there was one, the above problem would have been solved easily.

https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_hostname
https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_hostname_txt
https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-lookup_addr

You can see an example using one of these scripts here:
	https://github.com/bro/bro/blob/master/scripts/policy/protocols/ssh/interesting-hostnames.bro#L34

(you have to use them in when statements)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list