Hello,
Following up on some ideas from the Exchange, I've created an unofficial git repository for community submitted Bro scripts.
<https://github.com/grigorescu/bro-scripts>
If you have any scripts that you'd like to share with the community, please fork this repo, add your script, and submit a pull request. I know that there are many scripts floating around out there, and I think everyone would be interested to see what others are doing.
Currently, I'll be reviewing all submitted scripts for security vulnerabilities (strictly in regards to not exfiltrating your sensitive Bro data, not introducing new, sensitive data in your logs unless it's clearly documented, that sort of thing).
Obviously, none of these scripts come with any sort of guarantee - however, if you encounter a broken script, you can always fix it and push it back! Please also keep in mind that this is really a temporary solution until a better script repository system is designed.
Feel free to let me know any comments or questions that you may have, or if you can think of a better way to implement this.
Thanks,
--Vlad
Nice! http-exe-bad-attributes.bro alone is worth checking out. Thanks!
Thanks Vlad! Looking forward to some organization and general cleanup.
.Seth
I have a bunch of other ones that could be included(after some cleanups)
here:
https://github.com/justinazoff/bro_scripts/tree/2.0
active-hosts-metrics.bro
rogue-access-points.bro
log-external-dns.bro
are useful.
I want to update log-external-dns to cache the result of lookup_addr and
have another notice type/flag when it doesn't resolve. After running it
for a while I've found that external dns servers without PTR records are
almost always the really nasty ones.
FYI, I think that some of these scripts may require a special branch of bro with extensions to the metrics framework that aren't going to show up until 2.2. Do any of these scripts you pointed out require that branch Justin?
.Seth
active-hosts-metrics.bro does, and most of the other metrics scripts in
that repo.
Please also keep in mind that this is really a temporary solution until a better script repository system is designed.
Good to see you're approaching this still actively. We're at a point
where having the BPAN would significantly help bootstrapping community
efforts like yours. Also, there is already a concrete propsal of how
this could look like:
http://www.bro-ids.org/development/projects/cban.html
Any feedback on this would be highly valuable, so that we can go ahead
and incorporate into the design.
Matthias
(For completeness, here's my assorted Bro script repository:
GitHub - mavam/brospects: Experimental Bro scripts with good prospects for the official bro-scripts repository.)