Folks,
This may well be an RTFM - I just don't know which section would cover this.
I have two modules created in /opt/app/bro/share/bro/site/ , with the intention of having one @load the other - but I cannot seem to get the combination to work, and I'm unsure even where the failure is.
The @load'ed module, "CU_net_defs", is intended as a shim to some .csv files, periodically updated from the central DB which tracks internal subnet allocations, which is supposed to instantiate two global sets of CIDR's, one for top-level allocations (e.g. 128.253.0.0), and the other for internally-allocated subnets (e.g. 128.253.101.0/25).
The @load'ing module, "bro-wsSMTP", is intended to detect user workstations et.al. that have been compromised and are acting as spambots, by the following methodology.
- understand the top-level allocations by @load'ing CU_net_defs;
- understand an internal set of our e-mail infrastructure hosts and networks; and
- generate logfiles, "ws-smtp.{}.log", containing entries where
-- id$orig_h is part of a campus allocation;
-- id$orig_h is *not* part of our e-mail infrastructure; and
-- id$resp_h is *not* part of a campus allocation.
The final goal is to have the resulting "ws-smtp.{}.log" files fed into Splunk for detection/correlation.
The thing is, once I create an expression intended to isolate by way of the criteria above, I get no results whatever - even though the data is clearly in the normal smtp.log file.
Slightly abridged instances of the module files are appended below. Can anyone shed any light on this?
Thanks for any info,