Bro programming question

Hi All,

Im a student at the university of Amsterdam currently working on BRO in combination with SNORT.

I would like BRO to execute a script (create ACL or static route via ssh). If i'm correct BRO should first needs to notice the data and send it to the manager.
The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?)
<code>
event new_connection(c: connection)
  {
if (c$id$orig_h == 192.168.101.1 && c$id$resp_p == 0/tcp)
  print fmt("New Connection => Source IP: %s, Source Port: %s, Destination IP: %s, Destination Port: %s", c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
}
</code>

When I run this on a worker it works fine:
bro@ubuntu:~$ /usr/local/bro/bin/bro -r testfile.pcap first.bro
New Connection => Source IP: 192.168.101.1, Source Port: 0/tcp, Destination IP: 192.168.103.1, Destination Port: 0/tcp

The script is located in site and I do a check install restart via the broctl. But when I send data to this worker I cant see any logs generated. I must do a lot of things wrong but I cant figure out what.
And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool.

I'm sorry for my bad explanation I'm not a programmer but I would like to make this prove of concept.

Kind regards,

Rawi Ramdhan

Im a student at the university of Amsterdam currently working on BRO in combination with SNORT.

I don't know what you're planning on doing, but have you noticed that Barnyard2 has support for a Bro output plugin? Each alert in the unified2 log file from Snort is turned into a Bro event.
  https://github.com/firnsy/barnyard2

The following should log all data from 192.168.101.1 with TCP on port 0. And print it in a log file (which one?)

You're using the print statement so it will only print to stdout. You have to use the logging framework if you want actual logs. :slight_smile:

And where do I put the script to check the payload from this data and with that information execute a shell script via piped_exec(program: string, to_write: string): bool.

Just call your program with the full path in the program field and it should work fine.

  .Seth