All,
So I was intrigued with the largeTx script. As I'm not advanced with bro's scripting, I'm trying to change this to just notice instead of email:
All,
So I was intrigued with the largeTx script. As I'm not advanced with bro's scripting, I'm trying to change this to just notice instead of email:
I've added a little more smarts to the script as I become more familiar with bro scripting. I'm simply amazed at the possibilities of Bro; thank you to those who have and continue to develop this awesome tool. I wish I had run across it five years ago. Attached is the current iteration. I'm trying to keep track of and alert on hosts that have multiple large upload events in a given time and any destination hosts that have seen multiple uploads over a given time. To disable the mail alerts just comment out the below. If any of my inline comments are unclear yell at me.
largeTx.bro (4.17 KB)
Thanks for this Brian...working with it now.
James
So I've completely removed and re-installed bro-2.2. Here's what I get when I try and test the script:
[11:11:47 @analysis:~/brostuff/testbrofiles$] bro largeTx.bro
error in ./largeTx.bro, line 7: unrecognized character -
error in ./largeTx.bro, line 8: unrecognized character -
<redacted>
error in ./largeTx.bro, line 96: unrecognized character -
error in ./largeTx.bro, line 97: unrecognized character -
I've tried just downloading the file from email, copying and pasting as text, and even getting rid of the tab control characters. The below snippet works though:
event bro_init()
{
print "Hello World!";
}
[11:15:15 @analysis:~/brostuff/testbrofiles$] bro helloworld.bro
Hello World!
If I copy the script to /usr/local/bro/share/bro/site, add it to local.bro with "@load largeTx.bro", start broctl, install, then start, I get a fail and diag shows the same as above.
Am I missing something obvious? Thank you.
James
Hmm, not sure.
I usually edit the script with Notepad++ and then copy it into a Vi session on the SecurityOnion sensor. Line 8 is a comment; at least on mine.
Try using "broctl check" and "broctl diag" after stopping bro and see if that turns up anything. I'm pretty new to Bro so hopefully I'm not leading you down the wrong path.
Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean, NY 14760
T: (716) 375-3186 | F: (716) 375-3557
Bah...turns out something funky with copy/paste 8-| Opened the file in Notepad++ then pasted into a new file on the linux box and away it went..thanks again Brian.
James