[Bro] Implementing a new script

Seth Hall seth at icir.org
Wed Jul 13 08:25:57 PDT 2016 

Hi Connor,

This is a nice job at a first script.  I'll point out a few issues I noticed with it, but generally I think you got pretty close to what you wanted.

Bro won't have detected the protocol in the connection yet in the new_connection event.  Generally you can assume that no payload has been seen when the new_connection event is generated which means that we don't yet know if the traffic is encrypted or not. :)  You could use the protocol_violation event to watch for the SSL analyzer to be violated.  Port 443/tcp always gets the SSL analyzer attached as a heuristic but it will fail if the traffic is not actually SSL.  This might actually be the most straightforward mechanism.
	https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-protocol_violation 

One other tiny mistake is that you're comparing the c$conn$service field against "SSL" but the value in the service field will be "ssl".  You just need to fix your casing.

Nice script!

  .Seth




> On Jul 12, 2016, at 3:26 PM, Connor Borchgrevink <borchgrevink at aggienetwork.com> wrote:
> 
> Howdy all, 
> 
> I recently began poking around Bro and had my first attempt of writing a script. The purpose of it was to detect whether or not traffic on port 443 used SSL, the moment I implemented the script my CPU usage was at 100% and the same happened to my memory. Without the script enabled, the machine runs fine and bro only uses about 50-60% of the resources. I also tried to turn off every other thing in local.bro but it was the same result. The code is as follows (be warned its pretty rough):
> 
> @load base/protocols/ssl 
> @load base/frameworks/notice 
> @load base/protocols/conn 
> @load base/utils/directions-and-hosts 
>  
> module conn; 
>  
> export { 
>         redef enum Notice::Type += { 
>                 Unencrypted_Traffic 
>         }; 
>  
>         const List_of_Hosts = LOCAL_HOSTS &redef; 
>         const Encryption = "SSL" &redef; 
> } 
>  
> event new_connection(c: connection) &priority=3 
>         { 
>         if ( ! addr_matches_host(c$id$resp_h, List_of_Hosts) ) 
>                 return; 
>  
>         local port_number=c$conn$id$resp_p; 
>         local ip_address=c$conn$id$resp_h; 
>         local encrypted=c$conn$service; 
>  
>         if ( port_number != 443/tcp ) 
>                 return; 
>  
>         if ( encrypted != Encryption ) 
>                 NOTICE([$note=Unencrypted_Traffic, 
>                         $msg=fmt("Unencrypted traffic"), 
>                         $conn=c, 
>                         $identifier=cat(c$id$resp_h, c$id$resp_p) 
>                         ]); 
>         } 
> 
> 
> It is probably something I am not catching in my code or a limited knowledge of bro, but any help is much appreciated. 
> 
> Thanks
> 
> Connor
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list