[Discussion] David's Bro Script
David J. Bianco
david at vorant.com
Tue Nov 4 13:36:24 UTC 2008
Wow, I had no idea this was possible. Clearly, I still have much to learn
about Bro. I dig it, though, and will definitely be relying on it as part
of my suite of detection tools in the near future.
David
Seth Hall wrote:
> On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:
>
>> David had a fine post again today <http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html
>>> showing how to make a Bro script from scratch which identified non-
>> whitelisted traffic. Could one of the Bro experts show how to take
>> that and make it able to be dynamically updated at run-time?
>
>
> It's update-able through the Bro communications protocol. If you are
> using the cluster shell, there is an update command that does this for
> you. You just need to make the changes to your global/const variables
> in your policy scripts and then do the following procedure...
>
> # cluster<return>
>
> > check
> (check for all to be ok)
> > install
> > update
>
> That *should* then put any updates to global/const variables in
> place. It's certainly possible to write other scripts that would do
> the same procedure without as well since ultimately all the shell does
> to cause the update process is throw an event through the
> communications protocol.
>
> .Seth
>
> ---
> Seth Hall
> Network Security - Office of the CIO
> The Ohio State University
> Phone: 614-292-9721
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
More information about the Discussion
mailing list