Feeling empowered by having attended the recent BRO workshop, I decided I wanted to make a change to the scan.bro policy script. I recall that I heard that I should not change any scripts in the /usr/local/bro/policy directory. Rather I should move the desired script to /usr/local/bro/site and change the name to local.scan.bro for example. Having done this, when I start bro I get ...
[root@rhyolite ~]# /etc/init.d/bro start
bro.rc: Running as non-root user root
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.scan.bro, line 1: error: can't open scan
... FAILED
Hummm, looking at permissions in /usr/local/bro/site I see ...
[root@rhyolite rreitz]# ls -l /usr/local/bro/site
total 452
-rw-r--r-- 1 root root 6 Apr 17 00:55 incident_counter
-rw-r--r-- 1 root root 13639 Aug 20 09:37 local.scan.bro
-rw-r--r-- 1 root root 464 Jul 24 00:42 local.site.bro
-rw-r--r-- 1 root root 2026 Aug 14 14:49 rhyolite.fnal.gov.bro
-rw-r--r-- 1 root root 424977 Aug 6 09:47 signatures.sig
-rw-r--r-- 1 root root 926 Jul 25 11:06 watchdarknets.bro
The script /usr/local/bro/site/local.scan.bro begins with ...
[root@rhyolite ~]# head /usr/local/bro/site/local.scan.bro
# $Id: scan.bro 4613 2007-07-06 04:16:51Z vern $
@load notice
@load port-name
@load hot
@load trw-impl
redef enum Notice += {
AddressDropped, # connectivity w/ given address has been dropped
AddressDropIgnored, # a request to drop connectivity has been ignored
One more question. In scan.bro I want to call a script that will create an event in Fermilab's issue tracker whenever a scanner is found. I used the drop_connectivity_script variable to point to my script. Will the system() call use the existing $PATH to find the script? Should the script be in /usr/local/bro/scripts directory?
I'm using Bro Version 1.3.2. My bro start policy looks like this...
[root@rhyolite ~]# cat /usr/local/bro/site/rhyolite.fnal.gov.bro
# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $
# This file is intended for host-specific Bro policy.
# What is host-specific? It can be anything that is not the default
# after installation. This is the place to make tweaks and changes
# to modify policy to suit your network environment and preferences.
# The following causes Bro to load local.XXX.bro anytime you
# "@load XXX" (along with first loading XXX.bro).