26 Apr
2006
26 Apr
'06
5:52 a.m.
I'm a newbie to Bro and have been reading up and playing the last several
days.
In trying to get an example from the user manual to work I'm not having
much luck.
It's probably something obvious but...
I modified the example on page 40-41 of the User Manual to suit our site.
Here is the policy file (example.bro):
#-----------------
@load bro.init
@load brolite
const web_servers = { moose.ca, };
const mail_servers = { mail.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
if ( service !in allow_services ) NOTICE ($note=SensitiveConnection, $conn=c,]); ####
This is the problem line. ####
#-----------------
Running on the cmd line leads to:
root@tester<254>/usr/local/bro # bro -r ~chris/traces/smtp ./site/example.bro
./site/example.bro, line 12: error: unknown identifier service, at or near
"service"
Did a grep through $BROHOME/policy/* but couldn't find anything obvious to
load to declare "service" correctly.
What little "tidbit" am I missing?
Is there a repository of really rudimentary policy files somewhere?
TIA
--
http://moose.ca
26 Apr
26 Apr
8:09 a.m.
On Wed, Apr 26, 2006 at 08:52 -0400, Chris Alexander wrote:
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
if ( service !in allow_services ) NOTICE ($note=SensitiveConnection,
$conn=c,]); #### This is the problem line. ####
The problem here is that the "if..." is not inside an event handler.
The user manual might be a bit confusing here: this code is just an
excerpt of how to make use of the allow_services table but it does
not work on its own. Take a look at the head of the function
check_hot() in hot.bro to see how this works in larger context.
(check_hot() is in turn called from various event handlers such as
connection_established() in conn.bro).
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin(a)icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
8:28 a.m.
The manual leaves out a key piece of information: Where to put the
" if ( service !in allow_services ) " line.
This should be in a connection_established event.
eg:
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( inbound && service !in allow_services )
NOTICE [($note=SensitiveConnection, $conn=c,
$msg=fmt("hot: %s", full_id_string(c)) ]);
}
(note: $msg was missing from the manual. This is needed too.)
see conn.bro for more examples.
Chris Alexander wrote:
I'm a newbie to Bro and have been reading up and playing the last
several days.
In trying to get an example from the user manual to work I'm not having
much luck.
It's probably something obvious but...
I modified the example on page 40-41 of the User Manual to suit our site.
Here is the policy file (example.bro):
#-----------------
@load bro.init
@load brolite
const web_servers = { moose.ca, };
const mail_servers = { mail.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
if ( service !in allow_services ) NOTICE ($note=SensitiveConnection,
$conn=c,]); #### This is the problem line. ####
#-----------------
Running on the cmd line leads to:
root@tester<254>/usr/local/bro # bro -r ~chris/traces/smtp
./site/example.bro
./site/example.bro, line 12: error: unknown identifier service, at or
near "service"
Did a grep through $BROHOME/policy/* but couldn't find anything obvious
to load to declare "service" correctly.
What little "tidbit" am I missing?
Is there a repository of really rudimentary policy files somewhere?
TIA
--
------------------------------------------------------------------------
Brian L. Tierney, Lawrence Berkeley National Laboratory (LBNL)
1 Cyclotron Rd. MS: 50B-2239, Berkeley, CA 94720
tel: 510-486-7381 fax: 510-495-2998 efax: 603-719-5047
bltierney(a)lbl.gov http://www-didc.lbl.gov/~tierney
------------------------------------------------------------------------
9:05 a.m.
Thank you both very much!
I had a feeling there was something I wasn't seeing in the forest for all
the trees in my way. I've got something that works now.
For the other newbies that may stumble across this thread in the archives
this generates useful (??) output to the log files with Bro v1.0:
#----------------- Start test code (example.bro)
@load bro.init
@load brolite
@load conn
#
# Modify these values for your site
#
const web_servers = { moose.ca, internel.moose.ca, };
const mail_servers = { mail.moose.ca, mailgate.moose.ca, };
redef allow_services_to: set[addr, port] += {
[mail_servers, smtp],
[web_servers, http],
};
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( service !in allow_services ) {
NOTICE([$note=SensitiveConnection, $conn=c,
$msg=fmt("hot: %s", full_id_string(c))]);
}
}
#---------------- EOF
To generate "offline" data to play with do something like:
# tcpdump -i bge0 -w ~chris/traces/smtp.trace -c 100000000 port smtp &
Then to run the script against this captured trace file once it has
captured all the data:
# bro -r ~chris/traces/smtp.trace ./site/example.bro
Hope this helps someone in the future. Maybe quick start guide or user man
could be updated with something more fleshed out along these lines for the
next revision? Just an idea. I'd be happy to provide text if required.
Onward ho, time to stumble in the fog now that the sun has risen.
Thanks again.
--
http://moose.ca
5869
days inactive
5869
days old
3 comments
3 participants
participants (3)
-
Brian Tierney -
Chris Alexander -
Robin Sommer