[Discussion] David's Bro Script
Matt Jonkman
jonkman at jonkmans.com
Tue Nov 4 15:13:26 UTC 2008
I agree, starting to play with bro and am duly impressed.
Still not convinced we can do all we want to using it as a framework,
but keeping an open mind...
Matt
Martin Holste wrote:
> Thanks, Seth. Any idea how this would go using the Python-Broccoli
> interface? The idea being that there would be a database somewhere with
> the ever-changing list of hosts, and at some regular interval, the data
> would be dumped from the DB via Python-Broccoli to a running Bro instance.
>
> --Martin
>
> On Tue, Nov 4, 2008 at 7:36 AM, David J. Bianco <david at vorant.com
> <mailto:david at vorant.com>> wrote:
>
> Wow, I had no idea this was possible. Clearly, I still have much to
> learn
> about Bro. I dig it, though, and will definitely be relying on it
> as part
> of my suite of detection tools in the near future.
>
> David
>
> Seth Hall wrote:
> > On Nov 3, 2008, at 8:14 PM, Martin Holste wrote:
> >
> >> David had a fine post again today
> <http://blog.vorant.com/2008/11/detecting-outgoing-connections-from.html
> >>> showing how to make a Bro script from scratch which identified non-
> >> whitelisted traffic. Could one of the Bro experts show how to take
> >> that and make it able to be dynamically updated at run-time?
> >
> >
> > It's update-able through the Bro communications protocol. If you are
> > using the cluster shell, there is an update command that does this for
> > you. You just need to make the changes to your global/const variables
> > in your policy scripts and then do the following procedure...
> >
> > # cluster<return>
> >
> > > check
> > (check for all to be ok)
> > > install
> > > update
> >
> > That *should* then put any updates to global/const variables in
> > place. It's certainly possible to write other scripts that would do
> > the same procedure without as well since ultimately all the shell does
> > to cause the update process is throw an event through the
> > communications protocol.
> >
> > .Seth
> >
> > ---
> > Seth Hall
> > Network Security - Office of the CIO
> > The Ohio State University
> > Phone: 614-292-9721
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> <mailto:Discussion at openinfosecfoundation.org>
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list