I'm a newbie to Bro and have been reading up and playing the last several days.
In trying to get an example from the user manual to work I'm not having much luck.
It's probably something obvious but...
I modified the example on page 40-41 of the User Manual to suit our site.
Here is the policy file (example.bro):
The problem here is that the "if..." is not inside an event handler.
The user manual might be a bit confusing here: this code is just an
excerpt of how to make use of the allow_services table but it does
not work on its own. Take a look at the head of the function
check_hot() in hot.bro to see how this works in larger context.
(check_hot() is in turn called from various event handlers such as
connection_established() in conn.bro).
Robin
The manual leaves out a key piece of information: Where to put the
" if ( service !in allow_services ) " line.
This should be in a connection_established event.
eg:
event connection_established(c: connection)
{
local id = c$id;
local service = id$resp_p;
local inbound = is_local_addr(id$resp_h);
if ( inbound && service !in allow_services )
NOTICE [($note=SensitiveConnection, $conn=c,
$msg=fmt("hot: %s", full_id_string(c)) ]);
}
(note: $msg was missing from the manual. This is needed too.)
see conn.bro for more examples.
Chris Alexander wrote:
Thank you both very much!
I had a feeling there was something I wasn't seeing in the forest for all the trees in my way. I've got something that works now.
For the other newbies that may stumble across this thread in the archives this generates useful (??) output to the log files with Bro v1.0:
#----------------- Start test code (example.bro)
@load bro.init
@load brolite
@load conn