I want to check if
n$id$orig_h
contains a valid ip address.
But when I use and if comparison something like.
If ( n$id$orig_h = "-" )
I got a type clash (string and cmd) error.
How to solve this?
Thx
Have you tried n$id?$orig_h ? Should return true if it is set. Are you concerned that it may contain something but it isn’t a valid IP?
Also, I believe “-” is just a representation of an unset field for the log output. https://www.bro.org/sphinx/scripts/base/frameworks/logging/writers/ascii.bro.html#id-LogAscii::unset_field
Check if present first.
if (n$id?orig_h)if (n$id$orig_h =
Regards,
Daniel
Thnx,
Your reply solves my syntax error, but I want to use an external script to push a message to my Phone when a notice occur.
When I have an Intel hit and an port scan I see the notice.log filled.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2016-11-24-22-26-05
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1480022763.168490 Cim1y02Kw1ySXSCjFb 192.168.2.2 43632 185.78.29.33 80 - - - tcp Intel::Notice Intel hit on 185.78.29.33 at HTTP::IN_HOST_HEADER 185.78.29.33 192.168.2.2 185.78.29.33 80 - bro Notice::ACTION_EMAIL,Notice::ACTION_LOG 0.000000 F - - - - -
1480022784.174025 - - - - - - - - - Scan::Port_Scan 192.168.2.2 scanned at least 15 unique ports of host 192.168.2.254 in 0m1s local 192.168.2.2 192.168.2.254 - - bro Notice::ACTION_EMAIL,Notice::ACTION_LOG 0.000000 F - - - - -
In my local.bro I do an hook in the notice function
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
if (n$id?$orig_h)
{
local cmd = fmt(cat("/home/pi/scripts/pushover_notify Bro_alert src: “,n$id$orig_h,” ",n$msg));
}
else
{
cmd = fmt(cat("/home/pi/scripts/pushover_notify Bro_alert ",n$msg));
}
system(cmd);
But the else part is not executed with the port scan despite the id.orig_h in the notice.log contains an – so the then should be false on an portscan.
Can you help me out?
Typically the way I would do something like that is I add a custom notice (like NOTICE::DO_SOMETHING) for things to take that action, then make a hook notice to look for NOTICE::DO_SOMETHING and take a specific action.