[Bro] How should I be calling an external script from Bro?

Tue Mar 15 14:26:00 PDT 2016

> On Mar 15, 2016, at 5:15 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Justin,
> 
> Thanks for the guidance, that got me on the right path.
> 
> Here's where I am:
> 
> IPBlock.bro
> //
> module IPBLOCK;
> 
> export
> {
>        redef enum Notice::Action +=
>        {
>                ACTION_IPBLOCK,
>        };
> 
> const block_types: set[Notice::Type] = {} &redef;
> 
> }
> 
> hook Notice::policy(n: Notice::Info)
> {
>        add n$actions[ACTION_IPBLOCK];
> 
>        local cmd = string_cat("/usr/bin/python /usr/local/bro/share/bro/site/scripts/blockIP.py -a Bro -c 'SQL Injection' -t 72", n$src);
> 
>        local res = Exec::run([$cmd=cmd]);
> }
> //
> 
> local.bro
> //
> @load IPBlocker.bro
> 
> redef IPBLOCK::block_types +=
> {
>        HTTP::SQL_Injection_Attacker,
> };
> //
> 
> -----------------
> 
> broctl takes it fine with no errors (not verified as working).
> 
> I still don't understand what line 63 from your module is doing:
> //
> when (local res = Exec::run([$cmd=cmd, $stdin=stdin])
> //
> 
> What is local res?  I don't understand how that is executing the command.
> 
> Regards,
> Eric

That's not quite right.. it may run, but it won't do what you want.

You're not looking at block_types inside the notice policy, so that is going to try to block every single host that sets off any notice.

See how in my notice policy the first thing I do is

hook Notice::policy(n: Notice::Info)
{
    if ( n$note !in block_types )
        return;

that prevents it from running for notice types that are not in block_types.

You also shouldn't hardcode SQL Injection, you should grab what is in n$note and use that for the message.

I think you are over thinking things with the when block.  That line is just doing

    local res = Exec::run([$cmd=cmd, $stdin=stdin])

Just run is an asynchronous operation so it needs to be wrapped in a when ().

-- 
- Justin Azoff