Hello Bro Community,
I’m forwarding along a Facebook post our page received:
Can some one help me how to split connection from internal and external in a separate log even i dont want the traffic from out side to the inside?
Find bellow the script im using: i have been looking for someone to help me for a month now its for educational purposes
Not 100% sure what the question is being asked, however I put together a simple script to log files based directionality:
https://github.com/criticalstack/bro-scripts/blob/master/files-log-by-direction/files-log-by-direction.bro
There are some subtleties here that may not be obvious:
– a file can have multiple transmitters or receivers; both tx_hosts and rx_hosts in the Files::Info record are a set [ADDR]
– files do not have to come from a connection
In my example I just use the first TX and RX for making a decision.
Thanks,
Liam Randall