[Bro] How should I be calling an external script from Bro?
Eric Hacecky
hacecky at jlab.org
Mon Mar 14 13:48:14 PDT 2016
New to Bro. Trying to make sure I follow best practice here configuring it for my environment.
Currently Bro generates an email alert for HTTP::SQL_Injection_Attacker from detect-sqli.bro.
I wrote a python script to accept some parameters, including the attacker's IP that will put in a block at my firewall.
I was just going to tail Bro's notice.log and pull out the IP to feed my script anytime a SQL attack was logged there, but I figured it would be better to get Bro to do some of that lifting for me instead.
Being new to bro, I don't know how to do this.
I've googled around a bit and this is my best guess. (definitely a guess)
- Exec module is the best way to go about this?
- If so, I'm going to do what...make a something.bro file that basically says
@load base/utils/exec
when ( <something indicating SQL_Injection_Attacker> happens = Exec::run($cmd="myScript.py 55.66.77.88 -time 720") )
- Then I would @load something.bro in my local.bro file
-----------
Assuming that's the gist of it, how am I supposed to figure out what event to look for?
when ( HTTP::SQL_Injection_Attacker )?
Every example I look at has uses 'local result' instead. Ex. https://github.com/sooshie/bro-scripts/blob/master/misc/vt_check.bro
when (local result = Exec::run). Why? I don't see result defined anywhere previously? I don't understand how that condition is ever met.
How do I make bro pass the IP to my script?
Exec::run($cmd="myScript.py [$host=c$id$orig_h]")?
Thanks,
Eric
More information about the Bro
mailing list