[Bro] [Bro type clash]

Zeolla@GMail.com zeolla at gmail.com
Thu Nov 24 14:02:58 PST 2016 

Typically the way I would do something like that is I add a custom notice
(like NOTICE::DO_SOMETHING) for things to take that action, then make a
hook notice to look for NOTICE::DO_SOMETHING and take a specific action.

On Thu, Nov 24, 2016, 16:39 Eugene Dautzenberg <edautz at gmail.com> wrote:

> Thnx,
>
>
>
> Your reply solves my syntax error, but I want to use an external script to
> push a message to my Phone when a notice occur.
>
>
>
> When I have an Intel hit and an port scan I see the notice.log filled.
>
>
>
>
>
> #separator \x09
>
> #set_separator ,
>
> #empty_field   (empty)
>
> #unset_field   -
>
> #path   notice
>
> #open   2016-11-24-22-26-05
>
> #fields ts      uid     id.orig_h      id.orig_p      id.resp_h
> id.resp_p      fuid        file_mime_type file_desc      proto   note
> msg     sub     src     dst     p       n        peer_descr     actions
> suppress_for   dropped remote_location.country_code
> remote_location.region remote_location.city
> remote_location.latitude        remote_location.longitude
>
> #types  time    string  addr    port    addr    port    string  string
> string  enum    enum        string  string  addr    addr    port    count
> string  set[enum]      interval        bool    string  string  string
> double  double
>
> 1480022763.168490      Cim1y02Kw1ySXSCjFb     192.168.2.2    43632
> 185.78.29.33   80      -        -       -       tcp     Intel::Notice
> Intel hit on 185.78.29.33 at HTTP::IN_HOST_HEADER   185.78.29.33
> 192.168.2.2    185.78.29.33   80      -       bro
> Notice::ACTION_EMAIL,Notice::ACTION_LOG       0.000000       F
> -       -       -        -       -
>
> 1480022784.174025      -       -       -       -       -       -
> -       -       -        Scan::Port_Scan 192.168.2.2 scanned at least 15
> unique ports of host 192.168.2.254 in 0m1s    local   192.168.2.2
> 192.168.2.254  -       -       bro
> Notice::ACTION_EMAIL,Notice::ACTION_LOG       0.000000       F
> -       -       -        -       -
>
>
>
> In my local.bro I do an hook in the notice function
>
>
>
> hook Notice::policy(n: Notice::Info)
>
>             {
>
>             add n$actions[Notice::ACTION_EMAIL];
>
>            if (n$id?$orig_h)
>
>
>
>                {
>
>                local cmd = fmt(cat("/home/pi/scripts/pushover_notify
> Bro_alert src: ",n$id$orig_h," ",n$msg));
>
>                 }
>
>
>
>            else
>
>
>
>                {
>
>             cmd = fmt(cat("/home/pi/scripts/pushover_notify Bro_alert
> ",n$msg));
>
>                }
>
>
>
>            system(cmd);
>
>
>
> But the else part is not executed with the port scan despite the id.orig_h
> in the notice.log contains an – so the then should be false on an portscan.
>
>
>
> Can you help me out?
>
>
>
>
>
>
>
> *Van:* Daniel Guerra [mailto:daniel.guerra69 at gmail.com]
> *Verzonden:* donderdag 24 november 2016 19:36
> *Aan:* Zeolla at GMail.com
> *CC:* Eugene Dautzenberg; bro at bro.org
> *Onderwerp:* Re: [Bro] [Bro type clash]
>
>
>
> Check if present first.
>
> if (n$id?orig_h)
>
>  if (n$id$orig_h =
>
>
>
> Regards,
>
>
>
> Daniel
>
> On 24 Nov 2016, at 19:23, Zeolla at GMail.com <Zeolla at gmail.com> <
> zeolla at gmail.com> wrote:
>
>
>
> Have you tried n$id?$orig_h ?  Should return true if it is set.  Are you
> concerned that it may contain something but it isn't a valid IP?
>
> Also, I believe "-" is just a representation of an unset field for the log
> output.
> https://www.bro.org/sphinx/scripts/base/frameworks/logging/writers/ascii.bro.html#id-LogAscii::unset_field
>
>
>
> On Thu, Nov 24, 2016, 13:06 Eugene Dautzenberg <edautz at gmail.com> wrote:
>
> I want to check if
>
> n$id$orig_h
>
> contains a valid ip address.
>
> But when I use and if comparison something like.
>
> If ( n$id$orig_h = "-" )
>
> I got a type clash (string and cmd) error.
>
> How to solve this?
>
> Thx
>
> Verstuurd vanaf mijn iPhone
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>
> --
>
> Jon
>
> Sent from my mobile device
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Virusvrij.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
>
-- 

Jon

Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161124/ee889212/attachment-0001.html

More information about the Bro mailing list