[Bro] Converting Notice::Info to JSON
Dave Crawford
bro at pingtrip.com
Tue Jan 31 06:49:32 PST 2017
I’m creating a script that hooks Notice notice/policy and executes an ActiveHTTP call to submit specific notice events to a REST endpoint. In the submission I’d like to include the Notice::Info object as a JSON data field so tried:
to_json(n)
But it produces the following error:
1485869266.028563 error in /Users/dave/Projects/bro/share/bro/base/utils/json.bro, line 26: wrong port format, must be /[0-9]{1,5}\/(tcp|udp|icmp)/ (to_port(cat(v)))
Do I need to manually re-package all the fields the Notice::Info, and if so, has anyone already done this so I can borrow the code? :-)
This is the Notice::Info object I’m testing with:
[ts=1485872499.141021, uid=CSRU563utEL1B2yFl5, id=[orig_h=10.0.2.15, orig_p=1381/tcp, resp_h=199.192.156.134, resp_p=443/tcp], conn=<uninitialized>, iconn=<uninitialized>, f=<uninitialized>, fuid=<uninitialized>, file_mime_type=<uninitialized>, file_desc=<uninitialized>, proto=tcp, note=Signatures::Sensitive_Signature, msg=10.0.2.15: ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator), sub=POST /bbs/info.asp HTTP/1.1\x0d\x0aHost: 199.192.156.134:443\x0d\x0aContent-Length: 165\x0d\x0aConnection: Keep-Alive\x0d\x0aCache-Control: no-cache\x0d\x0a\x0d\x0a3D333531501A..., src=10.0.2.15, dst=199.192.156.134, p=443/tcp, n=<uninitialized>, src_peer=[id=0, host=127.0.0.1, p=0/unknown, is_local=T, descr=bro, class=<uninitialized>], peer_descr=bro, actions={
Phantom::ACTION_PHANTOM,
Notice::ACTION_LOG
}, email_body_sections=[], email_delay_tokens={
}, identifier=<uninitialized>, suppress_for=1.0 hr, dropped=F, remote_location=<uninitialized>]
-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170131/c74747ad/attachment.html
More information about the Bro
mailing list