Hello,
Is it easier to have a NetControl action in each script or to have one file that contains all the NetControl actions. I want to do one that has all the NetControl actions contained in one script, but am unsure of how / if it is possible to import information from one script to another.
And if it is possible to import information to a single NetControl Script would someone be kind enough to provide a template.
Freundliche Grüße / Best regards,
Andrew Dellana
Intern
What sort of actions are you talking about? If you are triggering these actions based on a NOTICE being raised, then you can use a notice hook to trigger the netcontrol actions when certain notices are raised.
If you just want to store helpers in a file, you just need to do something like
# my-netcontrol-actions.bro
@load base/frameworks/netcontrol
function do_block(ip: addr)
{
NetControl::drop_address(ip , 20sec, "No internet for you!");
}
And then in any other script
# my-script.bro
@load my-net-control-actions
event ...
{
do_block(id$orig_h);
}
Yes, I do want to make the NetControl actions based on what is alerted in Notices. Can all the helpers be stored in one file and only call the helper that is needed?
Freundliche Grüße / Best regards,
Andrew Dellana
Intern
Yep, you can do exactly that.
Got around to adding net control to all the scripts, and now they are failing. The script is FoxIT's ransomware script. Any idea how I can get this to work?
event NetControl::init()
{
NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
}
hook Notice::policy(n: Notice::Info)
{
if fox_entropy=T Then
add n$actions[Notice::ACTION_DROP]
add n$actions[Notice::ACTION_EMAIL];
}
error in /opt/bro/share/bro/base/init-bare.bro, lines 123-127 and /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: type clash (conn_id and conn_id)
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127 and /opt/bro/share/bro/base/init-bare.bro, lines 123-127: type mismatch (conn_id and conn_id)
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 127: argument type mismatch in function call (NetControl::drop_connection(conn_id, 0, Cyrpto Blocked))
error in /opt/bro/share/bro/base/misc/CryptoRansomCheck.bro, line 128: syntax error, at or near "}"
Freundliche Grüße / Best regards,
Andrew Dellana
Intern
Hi,
The script excerpt is not quite long enough to see what exactly is going
on here (it does, for example, not show where conn_id is coming from and
how you defined it).
Could you perhaps just post the complete script in its current state?
Johanna
Also not sure if worth pointing out, this is all kinds of errors and oversights:
> hook Notice::policy(n: Notice::Info)
> {
> if fox_entropy=T Then
> add n$actions[Notice::ACTION_DROP]
> add n$actions[Notice::ACTION_EMAIL];
> }
>
hook Notice::policy(n: Notice::Info)
{
if (n$note == FoxEntropy) ### or whatever ou are generating notice for.
{
add n$actions[Notice::ACTION_DROP];
add n$actions[Notice::ACTION_EMAIL];
}
}
Always use {} in notice action defintions. I once didn't put notice actions within {} after if conditions. I still don't forget that day because of unexpected surprises.
Secondly:
> event NetControl::init()
> {
> NetControl::drop_connection (conn_id, 0, "Cyrpto Blocked")
> }
Nope, you put NetControl::drop_connection in your script either associating it with a notice or some other logic.
NetControl::init is to initialize - here is what I have:
event NetControl::init()
{
local pacf_acld = NetControl::create_acld([$acld_host=127.0.0.1, $acld_port=broker_port, $acld_topic="bro/event/pacf"]);
NetControl::activate(pacf_acld, 0);
}
then later something like this: :
function drop_it(ip: addr, msg: string): bool
{
if (ip in drop_info && drop_info[ip]$drop_status == SUCCESS )
return T ;
local result = NetControl::drop_address(ip, 20 secs, msg);
print fmt ("result is %s", result);
return T ;
}
Aashish