subject:"\[Bro\-Dev\] \[JIRA\] \(BIT\-1339\) Remove src and dst from notice"

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer reassigned BIT-1339:
-

Assignee: (was: Seth Hall)

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
> Fix For: 2.5
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20226#comment-20226
 ] 

Robin Sommer commented on BIT-1339:
---

Turns out this needs more discussion, as the right solution isn't quite clear 
yet.

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.5
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-04-03 Thread Robin Sommer (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robin Sommer updated BIT-1339:
--
Fix Version/s: (was: 2.4)
   2.5

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.5
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-19 Thread Aaron Eppert (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042
 ] 

Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM:


Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.


{noformat}
NOTICE([$note=Address_Scan,
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);

{noformat}



was (Author: aeppert):
Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.


{noformat}
NOTICE([$note=Address_Scan,
#$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);

{noformat}


> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian J

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-19 Thread Aaron Eppert (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042
 ] 

Aaron Eppert edited comment on BIT-1339 at 3/19/15 5:17 PM:


Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.


{noformat}
NOTICE([$note=Address_Scan,
#$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);

{noformat}



was (Author: aeppert):
Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.

{code:bro}
NOTICE([$note=Address_Scan,
#$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);
{code}

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
T

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-19 Thread Aaron Eppert (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20042#comment-20042
 ] 

Aaron Eppert commented on BIT-1339:
---

Per the debacle in 
[BITS-1346|https://bro-tracker.atlassian.net/browse/BIT-1346] - I'd make sure 
to add to_port() for $resp_p.

{code:bro}
NOTICE([$note=Address_Scan,
#$src=key$host,
+ $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=to_port(key$str)],
+ #$p=to_port(key$str),
$sub=side,
$msg=message,
$identifier=cat(key$host)]);
}]);
{code}

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-16 Thread Seth Hall (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19962#comment-19962
 ] 

Seth Hall commented on BIT-1339:


Yes, that was my plan.

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-13 Thread Jon Siwek (JIRA)


 [ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jon Siwek updated BIT-1339:
---
Fix Version/s: 2.4

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
> Fix For: 2.4
>
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-13 Thread Jon Siwek (JIRA)


[ 
https://bro-tracker.atlassian.net/browse/BIT-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19934#comment-19934
 ] 

Jon Siwek commented on BIT-1339:


Seth, do you plan to do this for 2.4 ?

> Remove src and dst from notice
> --
>
> Key: BIT-1339
> URL: https://bro-tracker.atlassian.net/browse/BIT-1339
> Project: Bro Issue Tracker
>  Issue Type: Improvement
>  Components: Bro
>Affects Versions: git/master
>Reporter: Seth Hall
>Assignee: Seth Hall
>
> Email from Brian Kellog...
> Related to this, I'm planning on deprecating $src and $dst from notices and 
> removing their use from all shipped Bro scripts.
> {quote}
> I'm going through and updating the NOTICEs for different detection scripts 
> built into Bro.  Trying to get the generated NOTICE logs set correctly for 
> ELSA to parse.  It is working but I'm not sure if I'm doing this the most Bro 
> appropriate way.  Couple questions:
> Is this the best way to accomplish this task?  Secondly, if advisable, how do 
> we get these script changes incorporated into Bro base?  I'm not that 
> experienced with git but willing to learn more if needed.  These changes were 
> made, again, to benefit ELSA searching/grouping and for the Bro correlation 
> script recently released.
> Here's what I changed/add to some of the built-in detection scripts (Lines 
> with "+" are what I changed/added):
> /opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
> NOTICE([$note=Password_Guessing,
>$msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
> connections).", key$host, r$num),
>$sub=sub_msg,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
> NOTICE([$note=FTP::Bruteforcing,
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
> NOTICE([$note=SQL_Injection_Attacker,
>$msg="An SQL injection attacker was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=SQL_Injection_Victim,
>$msg="An SQL injection victim was discovered!",
>$email_body_sections=vector(format_sqli_samples(r$samples)),
> +   #$src=key$host,
> +   
> $id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
> +   $sub=cat(format_sqli_samples(r$samples)),
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/scan.bro
> NOTICE([$note=Address_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
> +   #$p=to_port(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> …
> NOTICE([$note=Port_Scan,
>#$src=key$host,
> +   
> $id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
> +   #$dst=to_addr(key$str),
>$sub=side,
>$msg=message,
>$identifier=cat(key$host)]);
> }]);
> /opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
> NOTICE([$note=Traceroute::Detected,
>$msg=fmt("%s seems to be running traceroute using %s", src, 
> proto),
> +   #$src=src,
> +   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
>$identifier=cat(src,proto)]);
> }]);
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

2015-03-11 Thread Seth Hall (JIRA)

Seth Hall created BIT-1339:
--

 Summary: Remove src and dst from notice
 Key: BIT-1339
 URL: https://bro-tracker.atlassian.net/browse/BIT-1339
 Project: Bro Issue Tracker
  Issue Type: Improvement
  Components: Bro
Affects Versions: git/master
Reporter: Seth Hall
Assignee: Seth Hall


Email from Brian Kellog...

Related to this, I'm planning on deprecating $src and $dst from notices and 
removing their use from all shipped Bro scripts.

{quote}
I'm going through and updating the NOTICEs for different detection scripts 
built into Bro.  Trying to get the generated NOTICE logs set correctly for ELSA 
to parse.  It is working but I'm not sure if I'm doing this the most Bro 
appropriate way.  Couple questions:

Is this the best way to accomplish this task?  Secondly, if advisable, how do 
we get these script changes incorporated into Bro base?  I'm not that 
experienced with git but willing to learn more if needed.  These changes were 
made, again, to benefit ELSA searching/grouping and for the Bro correlation 
script recently released.

Here's what I changed/add to some of the built-in detection scripts (Lines with 
"+" are what I changed/added):

/opt/bro/share/bro/policy/protocols/ssh/detect-bruteforcing.bro
NOTICE([$note=Password_Guessing,
   $msg=fmt("%s appears to be guessing SSH passwords (seen in %d 
connections).", key$host, r$num),
   $sub=sub_msg,
+   #$src=key$host,
+   
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
   $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
NOTICE([$note=FTP::Bruteforcing,
+   #$src=key$host,
+   
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
   $msg=message,
   $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/protocols/http/detect-sqli.bro
NOTICE([$note=SQL_Injection_Attacker,
   $msg="An SQL injection attacker was discovered!",
   $email_body_sections=vector(format_sqli_samples(r$samples)),
+   #$src=key$host,
+   
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=0/tcp],
+   $sub=cat(format_sqli_samples(r$samples)),
   $identifier=cat(key$host)]);
}]);

…

NOTICE([$note=SQL_Injection_Victim,
   $msg="An SQL injection victim was discovered!",
   $email_body_sections=vector(format_sqli_samples(r$samples)),
+   #$src=key$host,
+   
$id=[$orig_h=0.0.0.0,$orig_p=0/tcp,$resp_h=key$host,$resp_p=0/tcp],
+   $sub=cat(format_sqli_samples(r$samples)),
   $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/misc/scan.bro
NOTICE([$note=Address_Scan,
   #$src=key$host,
+   
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=0.0.0.0,$resp_p=key$str],
+   #$p=to_port(key$str),
   $sub=side,
   $msg=message,
   $identifier=cat(key$host)]);
}]);

…

NOTICE([$note=Port_Scan,
   #$src=key$host,
+   
$id=[$orig_h=key$host,$orig_p=0/tcp,$resp_h=key$str,$resp_p=0/tcp],
+   #$dst=to_addr(key$str),
   $sub=side,
   $msg=message,
   $identifier=cat(key$host)]);
}]);

/opt/bro/share/bro/policy/misc/detect-traceroute/main.bro
NOTICE([$note=Traceroute::Detected,
   $msg=fmt("%s seems to be running traceroute using %s", src, 
proto),
+   #$src=src,
+   $id=[$orig_h=src,$orig_p=0/icmp,$resp_h=dst,$resp_p=0/icmp],
   $identifier=cat(src,proto)]);
}]);
{quote}



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

[Bro-Dev] [JIRA] (BIT-1339) Remove src and dst from notice

10 matches

Site Navigation

Mail list logo

Footer information