[Bro] NetControl configuration
Aashish Sharma
asharma at lbl.gov
Wed Apr 5 09:50:29 PDT 2017
Also not sure if worth pointing out, this is all kinds of errors and oversights:
> > hook Notice::policy(n: Notice::Info)
> > {
> > if fox_entropy=T Then
> > add n$actions[Notice::ACTION_DROP]
> > add n$actions[Notice::ACTION_EMAIL];
> > }
> >
hook Notice::policy(n: Notice::Info)
{
if (n$note == FoxEntropy) ### or whatever ou are generating notice for.
{
add n$actions[Notice::ACTION_DROP];
add n$actions[Notice::ACTION_EMAIL];
}
}
Always use {} in notice action defintions. I once didn't put notice actions within {} after if conditions. I still don't forget that day because of unexpected surprises.
Secondly:
> > event NetControl::init()
> > {
> > NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
> > }
Nope, you put NetControl::drop_connection in your script either associating it with a notice or some other logic.
NetControl::init is to initialize - here is what I have:
event NetControl::init()
{
local pacf_acld = NetControl::create_acld([$acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/pacf"]);
NetControl::activate(pacf_acld, 0);
}
then later something like this: :
function drop_it(ip: addr, msg: string): bool
{
if (ip in drop_info && drop_info[ip]$drop_status == SUCCESS )
return T ;
local result = NetControl::drop_address(ip, 20 secs, msg);
print fmt ("result is %s", result);
return T ;
}
Aashish
On Wed, Apr 05, 2017 at 09:30:51AM -0700, Johanna Amann wrote:
> Hi,
>
> The script excerpt is not quite long enough to see what exactly is going
> on here (it does, for example, not show where conn_id is coming from and
> how you defined it).
>
> Could you perhaps just post the complete script in its current state?
>
> Johanna
>
> On Thu, Mar 30, 2017 at 02:32:51PM +0000, Andrew Dellana wrote:
> > Got around to adding net control to all the scripts, and now they are failing. The script is FoxIT's ransomware script. Any idea how I can get this to work?
> >
> >
> > event NetControl::init()
> > {
> > NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
> > }
> >
> >
> > hook Notice::policy(n: Notice::Info)
> > {
> > if fox_entropy=T Then
> > add n$actions[Notice::ACTION_DROP]
> > add n$actions[Notice::ACTION_EMAIL];
> > }
> >
> >
> >
> >
> > error in /opt/bro/share/bro/base/init-bare.bro, lines 123-127 and /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: type clash (conn_id and conn_id)
> > error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127 and /opt/bro/share/bro/base/init-bare.bro, lines 123-127: type mismatch (conn_id and conn_id)
> > error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: argument type mismatch in function call (NetControl::drop_connection(conn_id, 0, Cyrpto Blocked))
> > error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 128: syntax error, at or near "}"
> >
> >
> > Freundliche Grüße / Best regards,
> >
> > Andrew Dellana
> > Intern
> > ________________________
> >
> >
> > -----Original Message-----
> > From: Azoff, Justin S [mailto:jazoff at illinois.edu]
> > Sent: Thursday, March 16, 2017 11:08 AM
> > To: Andrew Dellana
> > Cc: bro at bro.org
> > Subject: Re: [Bro] NetControl configuration
> >
> >
> > > On Mar 16, 2017, at 11:04 AM, Andrew Dellana <andrew.dellana> wrote:
> > >
> > > Yes, I do want to make the NetControl actions based on what is alerted in Notices. Can all the helpers be stored in one file and only call the helper that is needed?
> >
> > Yep, you can do exactly that.
> >
> > --
> > - Justin Azoff
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list