[Bro] adding srcip to correlation script

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Tue Jan 13 05:46:24 PST 2015


Sorry, I was getting an error in Bro about the Conn ID field; not ELSA.  And the notices were not showing up in notice.log.  I probably just missed something simple.  I really didn’t have time to look into it.



I see scanning notices in ELSA, but they come in with the default of the loopback IP for src and dst unfortunately.  So it can make them hard to correlate.





From: Josh Liburdi [mailto:liburdi.joshua at gmail.com]
Sent: Tuesday, January 13, 2015 1:35 AM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: RE: [Bro] adding srcip to correlation script



It sounds odd that ELSA requires the conn uid field-- there are many scripts that do not put conn uid values in the notice. Out of curiosity, have you (or anyone) seen any scanning notices in ELSA?


—
Sent from Mailbox<https://www.dropbox.com/mailbox>



On Mon, Jan 12, 2015 at 5:32 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:

   Thanks for the response.

   I tried something similar already, but it wants the connection unique ID field filed as well and haven't figured out how to handle that yet. Haven't had time to play with it beyond my first attempt. Thanks


   -----Original Message-----
   From: Josh Liburdi [mailto:liburdi.joshua at gmail.com]
   Sent: Friday, January 09, 2015 8:36 PM
   To: Kellogg, Brian D (OLN)
   Cc: bro at bro.org<mailto:bro at bro.org>
   Subject: Re: [Bro] adding srcip to correlation script

   Hi Brian,

   I wrote the script you're referring to, so hopefully I can help.
   (Sorry for taking so long to reply to your message, I meant to do this earlier but haven't had time.)

   I don't use ELSA, but based on your description it sounds like it parses the Bro notice c$id fields and not the src or dst fields. This script doesn't use the c$id fields since no connection record exists after correlation has taken place; the only field containing a connection artifact is the src field, so that is the field you would want to groupby. It sounds like the fix for this could be in ELSA, but if you'd like to alter the Bro script to support the ELSA srcip field as it is now, then this (ugly solution) should work:

   Change this line in each notice: $src=idx, To this: $id=[$orig_h=idx,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],

   By doing that, we're faking a full connection record to get the idx value into the c$id$orig_h field (and thus the srcip field in ELSA).

   Hope this helps! Let me know if I was way off base.

   Josh

   On Fri, Jan 2, 2015 at 8:46 AM, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com<mailto:bkellogg at dresser-rand.com>> wrote:
   > I’m working with the correlation script released by CrowdStrike, thank
   > you BTW, and I want to populated the “srcip” field with the correct
   > source IP so that I can do a groupby on that field in ELSA. How do I
   > get the conn record for this connection into the below function so
   > that I can add $conn=c to the notice? Not sure what the best way to
   > do this is; can I just add it to the function arguments or define “c”
   > as a local and then assign the source IP, “idx” in this case, to c$id$orig_h.
   >
   >
   >
   > function alerts_out(t: table[addr] of set[string], idx: addr):
   > interval
   >
   >
   >
   >
   >
   > thanks,
   >
   > Brian
   >
   >
   > _______________________________________________
   > Bro mailing list
   > bro at bro-ids.org<mailto:bro at bro-ids.org>
   > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150113/bbd6f60d/attachment-0001.html 


More information about the Bro mailing list