piped_exec

Zeek
1

Hi,

I have a question about notices in Bro.
We installed Bro cluster and we made signature file to detect sources that their generated traffic matches the signature. Then we expect our notice.log file (/bro/logs/current/notice.log) be filled all the information about that sources. To do so, we created a bro file(located in /bro/share/bro/site/ourfile.
bro) to redefine the notice. Now the only thing it does is printing the information in our desired format in notice.log file.

Till now every thing goes well but we need to execute a shell script file when ever the signature matches. So we thought maybe there is a way to execute the script file in notice redefinition file. I used function piped_exec. The problem is when I run the following command,

/usr/local/bro/bin/ ./bro -r pcapFile.pcap broFile.bro

every thing goes well with worker. The script will be run but in manager side it does not execute the shell script file.

Do you think I should use different command for manager?

I’ve uploaded the files on github:
https://github.com/falizade/bro_scripts/blob/master/first_v0.bro

Best regards,

Fahimeh Alizadeh

2

If you run that script on a cluster, the piped_exec command will be run where the traffic is being seen (the worker). The manager will never run it.

What you likely want to do is allow your workers to generate notices and use the Notice::policy to make your manager execute your shell script. Something like this…

redef Notice::policy += {
  [$pred(n: Notice::Info) = {
    if ( n$note == TCP::TEST )
      {
      local cmd = fmt("/usr/local/bro/share/bro/site/test.sh");
      piped_exec(cmd, fmt("%s", n$id$orig_h));
      }
    return F;
   },
   $action=Notice::ACTION_NONE]
};

I haven't tested this code so there may be some issue(s) with it. :slight_smile:

  .Seth