Hello,
I have 2 questions:
-
how to load custom scripts in the core of Bro ?
-
is the extract files script different because it’s not in the “policy” folder ?
I’m trying to understand how Bro custom scripts work.
As far as I understand, custom scripts are supposed to go in the “policy” section,and then are called from the local.bro script.
To test this behavior I created a script that flags every DNS query.
It just generates a notice and logs it.
I run bro on my nslookups pcap (specifying the dns logger script in the command line) and it works, but when I add : @load dummy/dummy-dns to local.bro and just run bro without specifying the additional file I see no notice.log file. (my script is in the folder /opt/bro/share/bro/policy/dummy that I created for the occasion)
Then my problem is with extracting files, my local.bro contains:
@load file-extraction/extract (in the folder /opt/bro/share/bro) and it doesn’t extract files if I just run bro without specifying the script in the command line.
broctl scripts shows my scripts so I thought they were used now by the bro instance but nothing. It doesn’t log the files I download, it doesn’t notice me when I do a DNS query.
How to do that in Bro and use custom script by default for all the incoming traffic ?