Hi All
I used input framework blacklist approach (https://www.bro.org/sphinx/frameworks/input.html) that let Bro script read (IP’s) from a file (log file) that is dynamically written from other bro instance.
I managed to read blacklist IPs from blacklist file.
My goal is to let bro to only capture and process live packets that match those blacklist IPs But there is an issue that the event captures all incoming packets.
The following event capture and process all packets before it read and match with the file. For example, once the following bro run, all incoming traffic is processed in this event, regardless blacklist match:
event signature_match(state: signature_state, msg: string, data: string)
{
if(state$conn$id$orig_h in blacklist) { do analysis }
}
- Is there any way to filter the incoming traffic in bro based on input framework blacklist?
FYI: I can use BPF (bro -f file.log), but in this case the issue is that bro has to be restart many times since the file keep adding new IPs so that the file.log is to be updated. I also find exclude filter function but that exclude, I want to include certain traffic to captured.
- Can an event be provoked when only it pass a condition. for example, in my case, can I say:
if (state$conn$id$orig_h in blacklist) {
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt(“IRC bot Match!!! in %s”,state$conn$id$orig_h);
}
elso { “do nothing” }
If not, is there any way to make an event run when only pass if statement?
Bro version 2.3
Thanks in advance