[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1339: - Assignee: (was: Seth Hall) > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall > Fix For: 2.5 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20226#comment-20226 ] Robin Sommer commented on BIT-1339: --- Turns out this needs more discussion, as the right solution isn't quite clear yet. > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.5 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1339: -- Fix Version/s: (was: 2.4) 2.5 > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.5 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM: Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian J
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM: Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {noformat} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {noformat} was (Author: aeppert): Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {code:bro} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {code} > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- T
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042 ] Aaron Eppert commented on BIT-1339: --- Per the debacle in [BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure to add to_port() for $resp_p. {code:bro} NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); {code} > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19962#comment-19962 ] Seth Hall commented on BIT-1339: Yes, that was my plan. > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1339: --- Fix Version/s: 2.4 > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > Fix For: 2.4 > > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
[ https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19934#comment-19934 ] Jon Siwek commented on BIT-1339: Seth, do you plan to do this for 2.4 ? > Remove src and dst from notice > -- > > Key: BIT-1339 > URL: https://bro-tracker.atlassian.net/browse/BIT-1339 > Project: Bro Issue Tracker > Issue Type: Improvement > Components: Bro >Affects Versions: git/master >Reporter: Seth Hall >Assignee: Seth Hall > > Email from Brian Kellog... > Related to this, I'm planning on deprecating $src and $dst from notices and > removing their use from all shipped Bro scripts. > {quote} > I'm going through and updating the NOTICEs for different detection scripts > built into Bro. Trying to get the generated NOTICE logs set correctly for > ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro > appropriate way. Couple questions: > Is this the best way to accomplish this task? Secondly, if advisable, how do > we get these script changes incorporated into Bro base? I'm not that > experienced with git but willing to learn more if needed. These changes were > made, again, to benefit ELSA searching/grouping and for the Bro correlation > script recently released. > Here's what I changed/add to some of the built-in detection scripts (Lines > with "+" are what I changed/added): > /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro > NOTICE([$note=Password_Guessing, >$msg=fmt("%s appears to be guessing SSH passwords (seen in %d > connections).", key$host, r$num), >$sub=sub_msg, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro > NOTICE([$note=FTP::Bruteforcing, > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro > NOTICE([$note=SQL_Injection_Attacker, >$msg="An SQL injection attacker was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=SQL_Injection_Victim, >$msg="An SQL injection victim was discovered!", >$email_body_sections=vector(format_sqli_samples(r$samples)), > + #$src=key$host, > + > $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], > + $sub=cat(format_sqli_samples(r$samples)), >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/scan.bro > NOTICE([$note=Address_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], > + #$p=to_port(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > … > NOTICE([$note=Port_Scan, >#$src=key$host, > + > $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], > + #$dst=to_addr(key$str), >$sub=side, >$msg=message, >$identifier=cat(key$host)]); > }]); > /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro > NOTICE([$note=Traceroute::Detected, >$msg=fmt("%s seems to be running traceroute using %s", src, > proto), > + #$src=src, > + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], >$identifier=cat(src,proto)]); > }]); > {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice
Seth Hall created BIT-1339: -- Summary: Remove src and dst from notice Key: BIT-1339 URL: https://bro-tracker.atlassian.net/browse/BIT-1339 Project: Bro Issue Tracker Issue Type: Improvement Components: Bro Affects Versions: git/master Reporter: Seth Hall Assignee: Seth Hall Email from Brian Kellog... Related to this, I'm planning on deprecating $src and $dst from notices and removing their use from all shipped Bro scripts. {quote} I'm going through and updating the NOTICEs for different detection scripts built into Bro. Trying to get the generated NOTICE logs set correctly for ELSA to parse. It is working but I'm not sure if I'm doing this the most Bro appropriate way. Couple questions: Is this the best way to accomplish this task? Secondly, if advisable, how do we get these script changes incorporated into Bro base? I'm not that experienced with git but willing to learn more if needed. These changes were made, again, to benefit ELSA searching/grouping and for the Bro correlation script recently released. Here's what I changed/add to some of the built-in detection scripts (Lines with "+" are what I changed/added): /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro NOTICE([$note=Password_Guessing, $msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num), $sub=sub_msg, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro NOTICE([$note=FTP::Bruteforcing, + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro NOTICE([$note=SQL_Injection_Attacker, $msg="An SQL injection attacker was discovered!", $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); … NOTICE([$note=SQL_Injection_Victim, $msg="An SQL injection victim was discovered!", $email_body_sections=vector(format_sqli_samples(r$samples)), + #$src=key$host, + $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp], + $sub=cat(format_sqli_samples(r$samples)), $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/scan.bro NOTICE([$note=Address_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str], + #$p=to_port(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); … NOTICE([$note=Port_Scan, #$src=key$host, + $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp], + #$dst=to_addr(key$str), $sub=side, $msg=message, $identifier=cat(key$host)]); }]); /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro NOTICE([$note=Traceroute::Detected, $msg=fmt("%s seems to be running traceroute using %s", src, proto), + #$src=src, + $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp], $identifier=cat(src,proto)]); }]); {quote} -- This message was sent by Atlassian JIRA (v6.4-OD-15-055#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev