I have a script I’ve been writing for a couple weeks that looks at every connection’s total bytes. If the total bytes when the connection is removed from memory is over X bytes then raise a Bro notice. I have a global variable structure defined to keep track of internal hosts that have uploaded more than X bytes in a connection.
The script works find when running it from the command line. The notice.log is created with the custom notice entry. However when I run load this into Bro via the local.bro file the notice is never raised although Bro seems to start and run as it should. I hope I’m missing something really simply as that has been the case in most of the roadblocks I’ve run into so far. I’m using Elsa in SO to query for the custom Notice entry by simply querying for all notices.
I’m not exporting anything in the script as I do not need to reference anything in it from any other script; I think I’m understanding the export directive correctly.
Thanks for any help.
Thank you,
Brian
Please post the script so we can review it.
Thanks,
.Seth
susTx.bro is the simplified version of the script that works.
trackOutTx.bro is the one that doesn't.
Another thing I'm seeing is I cannot find these notices in Elsa once the notice.log has been rotated by SO. I'm sure I'm just not understanding something as I'm quite new to SO, Bro, and Elsa. Is there something else I have to do to ensure these notices show up in the Elsa archive? Is there a delay of a several hours before they show up in Elsa?
Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean, NY 14760
T: (716) 375-3186 | F: (716) 375-3557
susTx.bro (1.22 KB)
trackOutTx.bro (4.75 KB)
Hi Brian,
While troubleshooting the Bro scripts with Seth, take ELSA out of the
picture and just look at the raw Bro notice.log in
/nsm/bro/logs/current/. Once you have the scripts working correctly,
then we can help you with any ELSA issues over on the Security Onion
mailing list.
First thing to do would be to check the reporter.log for errors.
For performance/clarity reasons you should change this:
for (x in psubs) {
if (c$id$orig_h in psubs[x]) {
# check to see if dest ip is not an internal IP
for (y in psubs) {
if (c$id$resp_h in psubs[y]) {
notFound = F;
break;
}
}
# dest IP was not an internal IP so lets do this
to something like
# check to see if orig IP is an internal IP
if(!Site::is_local_addr(c$id$orig_h))
return;
# check to see if dest ip is not an internal IP
if(Site::is_local_addr(c$id$resp_h))
return;
or Site::is_private_addr, but you probably want is_local_addr
Bro natively supports sets of addresses so you don't need to loop.
I believe some of the problem is my formatting. I added some stuff back into the simpler script along with the changes that Justin recommended and had the same problem. I then went in and moved {} for the "if else" statements to their own lines like I see in the scripts that ship with Bro and then the script works. I haven't tried the entire more complex script yet, but I'll let this run and add to it over the weekend. Thanks for all the help and input.
Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean, NY 14760
T: (716) 375-3186 | F: (716) 375-3557