[Bro] Try.Bro.Org Table Creation Inquiry

Philip Romero promero at cenic.org
Wed Mar 8 10:59:08 PST 2017 

All,

I am trying to test a script to create a table at try.bro.org that I am 
having some trouble getting to work and was hoping to get some insight 
as to how to fix the issue. The intention is to create a table that I 
can read from for some additional monitoring. The testing I am doing is 
for what I believe is a simple use case, but the long term intention is 
to have a foundation for which I might create additional monitoring 
triggers. BTW - I have not gotten to the actual trigger script yet. I am 
still at the table creation portion of this process.

The intention of the table is to log "active" scanner IP sources, 
timestamps, and notes from the notice.log and compare these to the 
conn.log to trigger if a scanner actually reaches and gets a response 
from an internal host. I have 2 scripts that independently work on the 
try.bro.org site, but I am trying to get them to work at the same time. 
The second script only works if I manually add the file (space 
delimited) in try.bro.org before I run the script.

Ideally I'd like to have the table build live by reading in fields from 
either the current/notice.log or current/scanners.log I created from the 
first script, or even native tables created by the core bro environment. 
When I have these both run at the same time from try.bro.org site, I get 
an error opening the file source called in the second script being 
created by the first script. Any pointers or help on this would be 
greatly appreciated.

SCRIPT 1: creates a new log file called scanners.log (btw - I have this 
running fine in my local dev environment)

event bro_init()

{

# Add a new filter to the Notice::LOG stream that logs only

# timestamp, note, and scanner address.

local scanner_filter: Log::Filter = [$name="active-scanners",

$path="scanners",

$include=set("ts", "src", "note"),

$pred(rec: Notice::Info) = { return rec?$sub && rec$sub == "remote" && 
rec$note == Scan::Port_Scan ||

rec$note == Scan::Address_Scan && rec$sub == "remote"; }];

Log::add_filter(Notice::LOG, scanner_filter);

}


SCRIPT 2: reads in the scanners.log file, creates the scanners table, 
and prints it for confirmation that it worked.

redef InputAscii::separator = " ";

type Idx: record {

src: addr;

};

type Val: record {

ts: time;

note: string;

};

global scanners: table[addr] of Val = table();

event bro_init() {

Input::add_table([$source="scanners.log", $name="scanners",

$idx=Idx, $val=Val, $destination=scanners]);

Input::remove("scanners");

}

event Input::end_of_data(name: string, source: string) {

# now all data is in the table

print scanners;

}


-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170308/b4ff9af7/attachment.html

More information about the Bro mailing list