[Bro] Implementing a new script
Connor Borchgrevink
borchgrevink at aggienetwork.com
Tue Jul 12 12:26:34 PDT 2016
Howdy all,
I recently began poking around Bro and had my first attempt of writing a
script. The purpose of it was to detect whether or not traffic on port
443 used SSL, the moment I implemented the script my CPU usage was at
100% and the same happened to my memory. Without the script enabled, the
machine runs fine and bro only uses about 50-60% of the resources. I
also tried to turn off every other thing in local.bro but it was the
same result. The code is as follows (be warned its pretty rough):
@load base/protocols/ssl
@load base/frameworks/notice
@load base/protocols/conn
@load base/utils/directions-and-hosts
module conn;
export {
redef enum Notice::Type += {
Unencrypted_Traffic
};
const List_of_Hosts = LOCAL_HOSTS &redef;
const Encryption = "SSL" &redef;
}
event new_connection(c: connection) &priority=3
{
if ( ! addr_matches_host(c$id$resp_h, List_of_Hosts) )
return;
local port_number=c$conn$id$resp_p;
local ip_address=c$conn$id$resp_h;
local encrypted=c$conn$service;
if ( port_number != 443/tcp )
return;
if ( encrypted != Encryption )
NOTICE([$note=Unencrypted_Traffic,
$msg=fmt("Unencrypted traffic"),
$conn=c,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
}
It is probably something I am not catching in my code or a limited
knowledge of bro, but any help is much appreciated.
Thanks
Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160712/2976a084/attachment.html
More information about the Bro
mailing list