Input to quarantine system

Hi All,

We are rewriting a helper service for due to internal changes in our
network security environment. We currently send Bro alarms via email to
our Request Tracker (RT) database, and call the old helper to parse the
email, and gather user information so we can quarantine infected
machines. That works decent, but I was wondering if there is a better
way to do this. Perhaps some method that is easier to parse. We need
to feed some XML into an API for our Network Access Control.

We primarily need IP, timestamp, and a short description of the alarm.
Right now, timestamp isn't included in the emailed alarms. Is there a
better way to send alarms in an easily parsable format? Is there an
easy way to bulk include timestamp in all alarms?

Thanks,

Tyler

I use execute_with_notice for this in 1.5.. it was disabled in 2.0
because the notice_tags function is incomplete. I patched it a bit to
get it to work again but it needs to be finished..

I'm attaching the patch I had made.. I think it still works :slight_smile:

execute_with_notice is pretty easy to use... you just device a new
Notice::Action and hook things up to it. see here for example

the script you call just needs to getenv BRO_ARG_MSG BRO_ARG_SUB etc

execute_with_notice.patch (1.48 KB)

This could be done with an ELSA connector (I know, I'm referring to
ELSA, shocker!) that wrote directly to the database. ELSA includes a
connector for CIF that does just that and could be easily edited to
become a custom input connector. If you're interested, let me know,
and I'll write it for you.