Im a student at the university of Amsterdam currently working on BRO in combination with SNORT.
I would like BRO to execute a script (create ACL or static route via ssh). If i'm correct BRO should first needs to notice the data and send it to the manager.
The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?)
event new_connection(c: connection)
if (c$id$orig_h == 192.168.101.1 && c$id$resp_p == 0/tcp)
print fmt("New Connection => Source IP: %s, Source Port: %s, Destination IP: %s, Destination Port: %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
When I run this on a worker it works fine:
bro@ubuntu:~$ /usr/local/bro/bin/bro -r testfile.pcap first.bro
New Connection => Source IP: 192.168.101.1, Source Port: 0/tcp, Destination IP: 192.168.103.1, Destination Port: 0/tcp
The script is located in site and I do a check install restart via the broctl. But when I send data to this worker I cant see any logs generated. I must do a lot of things wrong but I cant figure out what.
And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool.
I'm sorry for my bad explanation I'm not a programmer but I would like to make this prove of concept.