I’m working with the correlation script released by CrowdStrike, thank you BTW, and I want to populated the “srcip” field with the correct source IP so that I can do a groupby on that field in ELSA. How do I get the conn record for this connection into the below function so that I can add $conn=c to the notice? Not sure what the best way to do this is; can I just add it to the function arguments or define “c” as a local and then assign the source IP, “idx” in this case, to c$id$orig_h.
function alerts_out(t: table[addr] of set[string], idx: addr): interval
thanks,
Brian
Hi Brian,
I wrote the script you're referring to, so hopefully I can help.
(Sorry for taking so long to reply to your message, I meant to do this
earlier but haven't had time.)
I don't use ELSA, but based on your description it sounds like it
parses the Bro notice c$id fields and not the src or dst fields. This
script doesn't use the c$id fields since no connection record exists
after correlation has taken place; the only field containing a
connection artifact is the src field, so that is the field you would
want to groupby. It sounds like the fix for this could be in ELSA, but
if you'd like to alter the Bro script to support the ELSA srcip field
as it is now, then this (ugly solution) should work:
Change this line in each notice: $src=idx,
To this: $id=[$orig_h=idx,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
By doing that, we're faking a full connection record to get the idx
value into the c$id$orig_h field (and thus the srcip field in ELSA).
Hope this helps! Let me know if I was way off base.
Josh
Thanks for the response.
I tried something similar already, but it wants the connection unique ID field filed as well and haven't figured out how to handle that yet. Haven't had time to play with it beyond my first attempt. Thanks
It sounds odd that ELSA requires the conn uid field-- there are many scripts that do not put conn uid values in the notice. Out of curiosity, have you (or anyone) seen any scanning notices in ELSA?
Sorry, I was getting an error in Bro about the Conn ID field; not ELSA. And the notices were not showing up in notice.log. I probably just missed something simple. I really didn’t have time to look into it.
I see scanning notices in ELSA, but they come in with the default of the loopback IP for src and dst unfortunately. So it can make them hard to correlate.