[Bro] How should I be calling an external script from Bro?
Azoff, Justin S
jazoff at illinois.edu
Tue Mar 15 14:26:00 PDT 2016
> On Mar 15, 2016, at 5:15 PM, Eric Hacecky <hacecky at jlab.org> wrote:
>
> Justin,
>
> Thanks for the guidance, that got me on the right path.
>
> Here's where I am:
>
> IPBlock.bro
> //
> module IPBLOCK;
>
> export
> {
> redef enum Notice::Action +=
> {
> ACTION_IPBLOCK,
> };
>
> const block_types: set[Notice::Type] = {} &redef;
>
> }
>
> hook Notice::policy(n: Notice::Info)
> {
> add n$actions[ACTION_IPBLOCK];
>
> local cmd = string_cat("/usr/bin/python /usr/local/bro/share/bro/site/scripts/blockIP.py -a Bro -c 'SQL Injection' -t 72", n$src);
>
> local res = Exec::run([$cmd=cmd]);
> }
> //
>
> local.bro
> //
> @load IPBlocker.bro
>
> redef IPBLOCK::block_types +=
> {
> HTTP::SQL_Injection_Attacker,
> };
> //
>
> -----------------
>
> broctl takes it fine with no errors (not verified as working).
>
> I still don't understand what line 63 from your module is doing:
> //
> when (local res = Exec::run([$cmd=cmd, $stdin=stdin])
> //
>
> What is local res? I don't understand how that is executing the command.
>
> Regards,
> Eric
That's not quite right.. it may run, but it won't do what you want.
You're not looking at block_types inside the notice policy, so that is going to try to block every single host that sets off any notice.
See how in my notice policy the first thing I do is
hook Notice::policy(n: Notice::Info)
{
if ( n$note !in block_types )
return;
that prevents it from running for notice types that are not in block_types.
You also shouldn't hardcode SQL Injection, you should grab what is in n$note and use that for the message.
I think you are over thinking things with the when block. That line is just doing
local res = Exec::run([$cmd=cmd, $stdin=stdin])
Just run is an asynchronous operation so it needs to be wrapped in a when ().
--
- Justin Azoff
More information about the Bro
mailing list