Custom Bro Script Not Logging or Sending Notices
135 views
Skip to first unread message
Connor Borchgrevink
Jul 12, 2016, 5:24:06 PM7/12/16
to security-onion
I recently began poking around Bro and had my first attempt of writing a script. The purpose of it was to detect whether or not traffic on port 443 used SSL. After finishing the code I ran broctl, and deployed it with no errors. Now nothing is happening with the notifications or the log that was supposed to be created. It is more than likely that its an error with my code, but maybe you all can help out. The code is as follows (be warned its pretty rough):
@load base/protocols/ssl
@load base/frameworks/notice
@load base/protocols/conn
@load base/utils/directions-and-hosts
module conn;
module Unencrypted_Traffic;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
Unencrypted_Traffic
};
const List_of_Hosts = ALL_HOSTS &redef;
const Encryption = "SSL" &redef;
type Info: record {
ts: time &log;
src: addr &log;
dst: addr &log;
proto: string &log &optional;
};
global log_unencrypted_traffic:event(rec: Info);
}
event new_connection(c: connection) &priority=3
{
Log::create_stream(Unencrypted_Traffic::LOG, [$columns=Info, $ev=log_unencrypted_traffic, $path="Unencrypted Traffic"]);
if ( ! addr_matches_host(c$id$resp_h, List_of_Hosts) )
return;
local port_number=c$conn$id$resp_p;
local encrypted=c$conn$service;
local src =c$conn$id$resp_h;
local dst =c$conn$id$orig_h;
local proto =c$conn$proto;
if ( port_number != 443/tcp )
return;
if ( encrypted != Encryption )
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]);
NOTICE([$note=Unencrypted_Traffic,
$msg=fmt("Unencrypted traffic"),
$conn=c,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
}
It is probably something I am not catching in my code or a limited knowledge of bro, but any help is much appreciated.
Thanks
Connor
@load base/protocols/ssl
@load base/frameworks/notice
@load base/protocols/conn
@load base/utils/directions-and-hosts
module conn;
module Unencrypted_Traffic;
export {
redef enum Log::ID += { LOG };
redef enum Notice::Type += {
Unencrypted_Traffic
};
const List_of_Hosts = ALL_HOSTS &redef;
const Encryption = "SSL" &redef;
type Info: record {
ts: time &log;
src: addr &log;
dst: addr &log;
proto: string &log &optional;
};
global log_unencrypted_traffic:event(rec: Info);
}
event new_connection(c: connection) &priority=3
{
Log::create_stream(Unencrypted_Traffic::LOG, [$columns=Info, $ev=log_unencrypted_traffic, $path="Unencrypted Traffic"]);
if ( ! addr_matches_host(c$id$resp_h, List_of_Hosts) )
return;
local port_number=c$conn$id$resp_p;
local encrypted=c$conn$service;
local src =c$conn$id$resp_h;
local dst =c$conn$id$orig_h;
local proto =c$conn$proto;
if ( port_number != 443/tcp )
return;
if ( encrypted != Encryption )
Log::write(LOG, [$ts=network_time(), $src=src, $dst=dst, $proto=proto]);
NOTICE([$note=Unencrypted_Traffic,
$msg=fmt("Unencrypted traffic"),
$conn=c,
$identifier=cat(c$id$resp_h, c$id$resp_p)
]);
}
It is probably something I am not catching in my code or a limited knowledge of bro, but any help is much appreciated.
Thanks
Connor
Doug Burks
Jul 12, 2016, 5:40:44 PM7/12/16
to securit...@googlegroups.com
Hi Connor,
Is your goal to write a Bro script or is your goal to detect non-ssl traffic on port 443? If it's the latter, have you considered leveraging the existing Bro conn.log with an ELSA query like this?
class=BRO_CONN dstport=443 -service="ssl"
Is your goal to write a Bro script or is your goal to detect non-ssl traffic on port 443? If it's the latter, have you considered leveraging the existing Bro conn.log with an ELSA query like this?
class=BRO_CONN dstport=443 -service="ssl"
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Connor Borchgrevink
Jul 12, 2016, 5:56:02 PM7/12/16
to security-onion
Howdy,
Thank you for your response. So I am trying to detect non-ssl traffic on port 443 but doing it with the ELSA query would leave me without a consistent log of all of the results wouldn’t it? (I apologize if thats a dumb question, again very new to bro and security onion).
To your question my actual goal is to write the script. I am attempting to get my feet wet with creating logs and notifications, so I can apply this to later scripts if that makes sense.
Thank you again for your response.
Thank you for your response. So I am trying to detect non-ssl traffic on port 443 but doing it with the ELSA query would leave me without a consistent log of all of the results wouldn’t it? (I apologize if thats a dumb question, again very new to bro and security onion).
To your question my actual goal is to write the script. I am attempting to get my feet wet with creating logs and notifications, so I can apply this to later scripts if that makes sense.
Thank you again for your response.
Message has been deleted
Doug Burks
Jul 13, 2016, 12:48:28 PM7/13/16
to securit...@googlegroups.com
Hi Connor,
Replies inline.
Replies inline.
On Tue, Jul 12, 2016 at 5:56 PM, Connor Borchgrevink <borchg...@aggienetwork.com> wrote:
>
> Howdy,
>
> Thank you for your response. So I am trying to detect non-ssl traffic on port 443 but doing it with the ELSA query would leave me without a consistent log of all of the results wouldn’t it? (I apologize if thats a dumb question, again very new to bro and security onion).
Depends on your definition of "consistent log" and what you actually want to do with the data. You already have the conn.log sitting there and can query it with ELSA or command line tools. Queries in ELSA can be scheduled to run every minute/hour/day, etc.
> To your question my actual goal is to write the script. I am attempting to get my feet wet with creating logs and notifications, so I can apply this to later scripts if that makes sense.
Looks like your script question was answered by Seth Hall over on the Bro list:
Reply all
Reply to author
Forward
0 new messages