[
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20226#comment-20226
]
Robin Sommer commented on BIT-1339:
-----------------------------------
Turns out this needs more discussion, as the right solution isn't quite clear
yet.
> Remove src and dst from notice
> ------------------------------
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: Bro
> Affects Versions: git/master
> Reporter: Seth Hall
> Assignee: Seth Hall
> Fix For: 2.5
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts
> built into Bro. Trying to get the generated NOTICE logs set correctly for
> ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro
> appropriate way. Couple questions:
> Is this the best way to accomplish this task? Secondly, if advisable, how do
> we get these script changes incorporated into Bro base? I'm not that
> experienced with git but willing to learn more if needed. These changes were
> made, again, to benefit ELSA searching/grouping and for the Bro correlation
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
> $msg=fmt("%s appears to be guessing SSH passwords (seen in %d
> connections).", key$host, r$num),
> $sub=sub_msg,
> + #$src=key$host,
> +
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> + #$src=key$host,
> +
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> $msg=message,
> $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
> $msg="An SQL injection attacker was discovered!",
> $email_body_sections=vector(format_sqli_samples(r$samples)),
> + #$src=key$host,
> +
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> + $sub=cat(format_sqli_samples(r$samples)),
> $identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
> $msg="An SQL injection victim was discovered!",
> $email_body_sections=vector(format_sqli_samples(r$samples)),
> + #$src=key$host,
> +
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> + $sub=cat(format_sqli_samples(r$samples)),
> $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
> #$src=key$host,
> +
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> + #$p=to_port(key$str),
> $sub=side,
> $msg=message,
> $identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
> #$src=key$host,
> +
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> + #$dst=to_addr(key$str),
> $sub=side,
> $msg=message,
> $identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
> $msg=fmt("%s seems to be running traceroute using %s", src,
> proto),
> + #$src=src,
> + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
> $identifier=cat(src,proto)]);
> }]);
> {quote}
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
