vector array of string used as a pattern for matching

I’m trying to create an array of domain names that I want to use as a pattern to search on. I know the below is wrong; just looking for someone to educate me on how to do this in a Bro script if it can be done. thanks

global ignoreDomains: vector of string = vector(“webex.com”, “pwc.com”, “messagelabs.com”,“akamaitechnologies.com”);

when (local dst = lookup_addr(c$id$resp_h))

{

if (/ignoreDomains$/ in dst)

return;

}

Thank you,

Brian Kellogg

Security Analyst; IT Governance, Risk, and Compliance

500 Paul Clark Drive, Olean, NY 14760

T: (716) 375-3186 | F: (716) 375-3557

www.dresser-rand.com NYSE: DRC

Description: Description: Description: Description: Description: Description: d-r_wordraster3R-hi

Bringing energy and the environment into harmony®

IMPORTANT NOTICE:
This email may be confidential, may be legally privileged, and is for the intended recipient only. Unauthorized access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender.

You could use a set of patterns.

foo: set[pattern] = YourPatterns
for (each in foo)
{
if (each in DomainInQuestion)
DoSomething
}

-AK

image001.jpg

Thanks, I thought of that as well. I was trying to not use a loop if at all possible.

Thanks,

Brian

image001.jpg

I wrote some fairly elaborate code (called Stomper) a number of years ago that performed URL/domain matching on a blacklist, and killed the connections in realtime, probably could be adapted to your use case. Aside from the other actions, the domain matching is done by successively splitting the domain into smaller parts & check for set membership

An example - given a domain www.badguy.com we would check:

www.badguy.com
badguy.com
.com

for membership in the set, and act on it accordingly - of course, unless you’re interested in tracking by TLD you wouldn’t go all the way down to .com, in this example.

If you’re interested in the code, contact me offline

image001.jpg

Wouldn't this be a good use case for a Bloom filter?

http://www.bro.org/sphinx/scripts/base/bif/bloom-filter.bif.html

aaron

# Create a set of domain suffixes.
global ignore_domains = set(".webex.com", ".pwc.com", ".messagelabs.com", ".akamaitechnologies.com");
# Create an empty pattern where we're going to automatically create.
global my_domain_suffixes = /MATCH_NOTHING/; # There is bug with setting blank patterns at the moment.

event bro_init() &priority=10
  {
  # Create the my_domain_suffixes pattern by auto constructing it from the ignore_domains set.
  my_domain_suffixes = set_to_regex(ignore_domains, "(^\\.?|\\.)(~~)$");
  }

# I'll give an example event like you want.
event whatever(c: connection)
  {
  when (local name = lookup_addr(c$id$resp_h))
    {
    if (my_domain_suffixes in name)
      return;
    }
  }

One thing to keep in mind with this script is the amount of DNS traffic you could easily cause if you handle an event that fires a lot (like the connection_established event). You may want to do some name caching or restrictions for when the look ups are done. We are also getting some evidence that overusing when statements is causing trouble for a few people.

Please when you are writing scripts, put them into a namespace (with "module MySpecialModule;" at the beginning of your script) to help us avoid stomping on identifier names that you are using.

Thanks,
  .Seth

the domain matching is done by successively splitting the domain into smaller parts & check for set membership

This has a lot of overhead in Bro at the moment due to the amount of string manipulation. I have an example module of a faster way to do this that doesn't involve any string manipulation.

  https://github.com/sethhall/bro-junk-drawer/tree/master/domain-tld

It includes Mozilla's list of "effective TLDs". Things like co.uk are counted as TLDs.

@load domain-tld
DomainTLD::effective_tld("www.google.co.uk");

  => co.uk

DomainTLD::effective_tld("www.google.com");

  => com

DomainTLD::effective_domain("whatever.www.blah.google.co.uk");

  => google.co.uk

DomainTLD::effective_domain("whatever.www.blah.google.com");

  => google.com

  .Seth

Thank you!

This is for a script that alerts on large outgoing Tx's. So the domain lookups are not going to be that frequent; at least they better not be.

Hopefully I'll get some time next week to work this solution in. Wish I had more time to spend on Bro. It is an incredible and invaluable tool for any NSM solution.

Thank you,
Brian Kellogg