I’m creating a script that hooks Notice notice/policy and executes an ActiveHTTP call to submit specific notice events to a REST endpoint. In the submission I’d like to include the Notice::Info object as a JSON data field so tried:
to_json(n)
But it produces the following error:
1485869266.028563 error in /Users/dave/Projects/bro/share/bro/base/utils/json.bro, line 26: wrong port format, must be /[0-9]{1,5}/(tcp|udp|icmp)/ (to_port(cat(v)))
Do I need to manually re-package all the fields the Notice::Info, and if so, has anyone already done this so I can borrow the code?
This is the Notice::Info object I’m testing with:
[ts=1485872499.141021, uid=CSRU563utEL1B2yFl5, id=[orig_h=10.0.2.15, orig_p=1381/tcp, resp_h=199.192.156.134, resp_p=443/tcp], conn=, iconn=, f=, fuid=, file_mime_type=, file_desc=, proto=tcp, note=Signatures::Sensitive_Signature, msg=10.0.2.15: ATTACK-RESPONSES Microsoft cmd.exe banner (reverse-shell originator), sub=POST /bbs/info.asp HTTP/1.1\x0d\x0aHost: 199.192.156.134:443\x0d\x0aContent-Length: 165\x0d\x0aConnection: Keep-Alive\x0d\x0aCache-Control: no-cache\x0d\x0a\x0d\x0a3D333531501A…, src=10.0.2.15, dst=199.192.156.134, p=443/tcp, n=, src_peer=[id=0, host=127.0.0.1, p=0/unknown, is_local=T, descr=bro, class=], peer_descr=bro, actions={
Phantom::ACTION_PHANTOM,
Notice::ACTION_LOG
}, email_body_sections=[], email_delay_tokens={
}, identifier=, suppress_for=1.0 hr, dropped=F, remote_location=]
-Dave