[Bro] [Bro type clash]
Eugene Dautzenberg
edautz at gmail.com
Thu Nov 24 13:39:26 PST 2016
Thnx,
Your reply solves my syntax error, but I want to use an external script to
push a message to my Phone when a notice occur.
When I have an Intel hit and an port scan I see the notice.log filled.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2016-11-24-22-26-05
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p fuid file_mime_type file_desc proto note msg
sub src dst p n peer_descr actions suppress_for
dropped remote_location.country_code remote_location.region
remote_location.city remote_location.latitude
remote_location.longitude
#types time string addr port addr port string string
string enum enum string string addr addr port count
string set[enum] interval bool string string string
double double
1480022763.168490 Cim1y02Kw1ySXSCjFb 192.168.2.2 43632
185.78.29.33 80 - - - tcp Intel::Notice Intel
hit on 185.78.29.33 at HTTP::IN_HOST_HEADER 185.78.29.33 192.168.2.2
185.78.29.33 80 - bro
Notice::ACTION_EMAIL,Notice::ACTION_LOG 0.000000 F -
- - - -
1480022784.174025 - - - - - - -
- - Scan::Port_Scan 192.168.2.2 scanned at least 15 unique
ports of host 192.168.2.254 in 0m1s local 192.168.2.2 192.168.2.254
- - bro Notice::ACTION_EMAIL,Notice::ACTION_LOG
0.000000 F - - - - -
In my local.bro I do an hook in the notice function
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
if (n$id?$orig_h)
{
local cmd = fmt(cat("/home/pi/scripts/pushover_notify
Bro_alert src: ",n$id$orig_h," ",n$msg));
}
else
{
cmd = fmt(cat("/home/pi/scripts/pushover_notify Bro_alert
",n$msg));
}
system(cmd);
But the else part is not executed with the port scan despite the id.orig_h
in the notice.log contains an - so the then should be false on an portscan.
Can you help me out?
Van: Daniel Guerra [mailto:daniel.guerra69 at gmail.com]
Verzonden: donderdag 24 november 2016 19:36
Aan: Zeolla at GMail.com
CC: Eugene Dautzenberg; bro at bro.org
Onderwerp: Re: [Bro] [Bro type clash]
Check if present first.
if (n$id?orig_h)
if (n$id$orig_h =
Regards,
Daniel
On 24 Nov 2016, at 19:23, Zeolla at GMail.com <zeolla at gmail.com> wrote:
Have you tried n$id?$orig_h ? Should return true if it is set. Are you
concerned that it may contain something but it isn't a valid IP?
Also, I believe "-" is just a representation of an unset field for the log
output.
https://www.bro.org/sphinx/scripts/base/frameworks/logging/writers/ascii.bro
.html#id-LogAscii::unset_field
On Thu, Nov 24, 2016, 13:06 Eugene Dautzenberg <edautz at gmail.com> wrote:
I want to check if
n$id$orig_h
contains a valid ip address.
But when I use and if comparison something like.
If ( n$id$orig_h = "-" )
I got a type clash (string and cmd) error.
How to solve this?
Thx
Verstuurd vanaf mijn iPhone
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Jon
Sent from my mobile device
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
---
Dit e-mailbericht is gecontroleerd op virussen met Avast antivirussoftware.
https://www.avast.com/antivirus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161124/b28bb396/attachment-0001.html
More information about the Bro
mailing list