[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

Thu, 19 Mar 2015 15:18:51 -0700 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042
 ] 

Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM:
------------------------------------------------------------

Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.


{noformat}
NOTICE([$note=Address_Scan,
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);

{noformat}



was (Author: aeppert):
Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.


{noformat}
NOTICE([$note=Address_Scan,
#$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);

{noformat}


> Remove src and dst from notice
> ------------------------------
>
>                 Key: BIT-1339
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Seth Hall
>            Assignee: Seth Hall
>             Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>                $msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>                $sub=sub_msg,
> +               #$src=key$host,
> +               
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>                $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +               #$src=key$host,
> +               
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>                $msg=message,
>                $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>                $msg="An SQL injection attacker was discovered!",
>                $email_body_sections=vector(format_sqli_samples(r$samples)),
> +               #$src=key$host,
> +               
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +               $sub=cat(format_sqli_samples(r$samples)),
>                $identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>                $msg="An SQL injection victim was discovered!",
>                $email_body_sections=vector(format_sqli_samples(r$samples)),
> +               #$src=key$host,
> +               
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +               $sub=cat(format_sqli_samples(r$samples)),
>                $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>                #$src=key$host,
> +               
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +               #$p=to_port(key$str),
>                $sub=side,
>                $msg=message,
>                $identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>                #$src=key$host,
> +               
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +               #$dst=to_addr(key$str),
>                $sub=side,
>                $msg=message,
>                $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>                $msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +               #$src=src,
> +               $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>                $identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to