Hello,
I am trying to add BRO the ability to ignore traffic from certain IP ranges dynamically.
I have a DB with IP addresses (that chances once in a while) and I would like to write a BRO script that will query the DB once in a while, grab those IP addresses and drop new connections with these IP’s.
Question:
- Is it possible to query a DB from BRO scripts? is there any examples?
- Assuming yes, should i implement this logic at the ‘new_connection’ event? (I would like to drop connections from these IP’s as soon as possible).
Thank You
Dave
I am trying to add BRO the ability to ignore traffic from certain IP ranges dynamically.
We're hoping to do this more generally with the 2.1 release. 2.0 has an Intelligence (Intel) framework which is meant for being updated at runtime but we didn't get it's API in shape to really be used. For 2.1 we're also hoping to have the Reaction framework completed which will provide you a way to hook Bro together with external devices which can block traffic or take other actions. These two frameworks should cover this use case really well. Unfortunately Bro's not quite there yet.
1. Is it possible to query a DB from BRO scripts? is there any examples?
Not yet, but we have another option that will almost certainly work well for your scenario. BroControl (broctl) has an "update" command which can update variables defined as const at runtime. You can use the update command if you maintain your list of subnets in a variable like this:
const block_these_networks = {
1.2.3.0/24,
6.5.4.0/24,
} &redef;
You would be able to change the values in that script then go into BroControl and run the "check" command to make sure that your script doesn't have any syntax errors. Then run "install", then "update". That will update all const values in all Bro instances (in the event that you are running a cluster).
Feel free to ask again if you need more help. We are working on making many of these jobs easier with each release.
2. Assuming yes, should i implement this logic at the 'new_connection' event? (I would like to drop connections from these IP's as soon as possible).
Yes, I think new_connection would work.
.Seth
Resurrecting an old thread.
Seth’s information on “broctl update”, reproduced below has proven useful to us when changing const variables (sounds like a contradiction!), such as maintanance of whitelists or blacklists, without restarting bro. I’ve been thinking about some use cases of redef’ing consts, where I would like to cook the data in the consts. This I typically do with a bro_init event handler when bro starts up. Is there some way to trigger an event when these updates occur, so that the updated variable can be recooked?
Thanks in advance
Seth's information on "broctl update", reproduced below has proven useful to us when changing const variables (sounds like a contradiction!), such as maintanance of whitelists or blacklists, without restarting bro. I've been thinking about some use cases of redef'ing consts, where I would like to cook the data in the consts. This I typically do with a bro_init event handler when bro starts up. Is there some way to trigger an event when these updates occur, so that the updated variable can be recooked?
A general event called "Control::configuration_update" gets queued when a nodes configuration gets changed by e.g. `broctl update`. So handling that I think should be an indication that the node's redef'able consts may have changed. Maybe that will work for what you want to do?
Jon
Thanks Jon,
That should help with what I’m contemplating. If would be really cool if there was a generational attribute (probably just a value that is incremented on update) on tables, so that the event could sense which table had, in fact, been changed. Thats just a wishlist item, as I don’t have any significant use cases for such functionality.
Thanks again,
Jim