[Bro] adding srcip to correlation script

[Josh Liburdi]

Hi Brian,

I wrote the script you're referring to, so hopefully I can help.
(Sorry for taking so long to reply to your message, I meant to do this
earlier but haven't had time.)

I don't use ELSA, but based on your description it sounds like it
parses the Bro notice c$id fields and not the src or dst fields. This
script doesn't use the c$id fields since no connection record exists
after correlation has taken place; the only field containing a
connection artifact is the src field, so that is the field you would
want to groupby. It sounds like the fix for this could be in ELSA, but
if you'd like to alter the Bro script to support the ELSA srcip field
as it is now, then this (ugly solution) should work:

Change this line in each notice: $src=idx,
To this: $id=[$orig_h=idx,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],

By doing that, we're faking a full connection record to get the idx
value into the c$id$orig_h field (and thus the srcip field in ELSA).

Hope this helps! Let me know if I was way off base.

Josh

On Fri, Jan 2, 2015 at 8:46 AM, Kellogg, Brian D (OLN)
<bkellogg at dresser-rand.com> wrote:
> I’m working with the correlation script released by CrowdStrike, thank you
> BTW, and I want to populated the “srcip” field with the correct source IP so
> that I can do a groupby on that field in ELSA.  How do I get the conn record
> for this connection into the below function so that I can add $conn=c to the
> notice?  Not sure what the best way to do this is; can I just add it to the
> function arguments or define “c” as a local and then assign the source IP,
> “idx” in this case, to c$id$orig_h.
>
>
>
> function alerts_out(t: table[addr] of set[string], idx: addr): interval
>
>
>
>
>
> thanks,
>
> Brian
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro