[Bro] Try.Bro.Org Table Creation Inquiry

Philip Romero promero at cenic.org
Thu Mar 9 11:32:49 PST 2017


Justin,

Thanks for the use of hook pointer. I'm able to retrieve the data 
elements directly from the hook, but I am still struggling for feeding 
this data into a table. All the searching I find only speaks of feeding 
data in from a file. I can't find any source for how to feed this "live" 
data into a table.

UPDATED CODE:

hook Notice::policy(n: Notice::Info)

{

if ( n$sub == "remote" && n$note == Scan::Port_Scan || n$note == 
Scan::Address_Scan && n$sub == "remote")

{

local ssrc= n$src;

local sts= n$ts;

local snote = n$note;

print ssrc, sts, snote;

}

}


On 3/8/17 11:37 AM, Azoff, Justin S wrote:
> It isn't working on try.bro.org because it's running against a pcap 
> and the bro process only runs for a fraction of a second before 
> exiting. At startup the file doesn't exist yet and the initial read 
> will fail.
> This won't work properly on a live cluster though due to issues that only recently got fixed with the input framework.  The next version of bro will re-try input files that couldn't be read at startup.  Previously, the input framework would stop trying after the initial failure.
>
> In any case.. what you are trying to do doesn't actually require the use of files.  You can just add a Notice::policy hook and add the scanner ip directly to the scanners table.
>
>
>

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170309/642add01/attachment-0001.html 


More information about the Bro mailing list