[Bro] NetControl configuration

Andrew Dellana andrew.dellana at bayer.com
Thu Mar 30 07:32:51 PDT 2017


Got around to adding net control to all the scripts, and now they are failing. The script is FoxIT's ransomware script.  Any idea how I can get this to work?


event NetControl::init()
{
NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
}


hook Notice::policy(n: Notice::Info)
        {
        if fox_entropy=T Then
                add n$actions[Notice::ACTION_DROP]
                add n$actions[Notice::ACTION_EMAIL];
        }




error in /opt/bro/share/bro/base/init-bare.bro, lines 123-127 and /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: type clash (conn_id and conn_id)
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127 and /opt/bro/share/bro/base/init-bare.bro, lines 123-127: type mismatch (conn_id and conn_id)
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: argument type mismatch in function call (NetControl::drop_connection(conn_id, 0, Cyrpto Blocked))
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 128: syntax error, at or near "}"


Freundliche Grüße / Best regards,

Andrew Dellana
Intern
________________________


-----Original Message-----
From: Azoff, Justin S [mailto:jazoff at illinois.edu] 
Sent: Thursday, March 16, 2017 11:08 AM
To: Andrew Dellana
Cc: bro at bro.org
Subject: Re: [Bro] NetControl configuration


> On Mar 16, 2017, at 11:04 AM, Andrew Dellana <andrew.dellana> wrote:
> 
> Yes,  I do want to make the NetControl actions based on what is alerted in Notices. Can all the helpers be stored in one file and only call the helper that is needed?

Yep, you can do exactly that.

-- 
- Justin Azoff




More information about the Bro mailing list