[Bro] software/version-changes.bro comparison between the two versions.

fatema bannatwala fatema.bannatwala at gmail.com
Tue Feb 21 09:50:32 PST 2017


I was going through the version-changes.bro script, thinking of adding some
software
to track the version changes, but realized that there is no comparison done
between the
old version tracked and the version detected in "rec: Info" of log_software
event.

Hence, was thinking to add a condition to check it before the notice is
raised for the version
change, like following:
( or I might be missing something regarding the functionality of the
script. :/)

event log_software(rec: Info)
{
local ts = tracked[rec$host];

if ( rec$name in ts )
{
local old = ts[rec$name];

# Is it a potentially interesting version change?
if ( rec$name in interesting_version_changes )
{

  *if (software_fmt_version(old$version) !=
software_fmt_version(rec$version))*
             { local msg = fmt("%.6f %s switched from %s to %s (%s)",
network_time(), rec$software_type,
software_fmt_version(old$version),
software_fmt(rec), rec$software_type);
       NOTICE([$note=Software_Version_Change, $src=rec$host,
       $msg=msg, $sub=software_fmt(rec)]);
             }
}
}
}

Any thoughts? anybody using this script to track software changes?

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170221/24545fb3/attachment-0001.html 


More information about the Bro mailing list