|
| 1 | +# Liam Randall ( @Hectaman ). Critical Stack, LLC. |
| 2 | +# Script will log files to an inbound, outbound, or internal state. |
| 3 | +# |
| 4 | +# Logging files in this way is not necessarily as straighforward as one might wish |
| 5 | +# a the files framework allows for 0 or more transmitters or recievers. |
| 6 | +# This is reflected in the Files::Info record as tx_hosts and rx_hosts are both a |
| 7 | +# set of addresses. |
| 8 | + |
| 9 | +event bro_init() |
| 10 | +{ |
| 11 | + |
| 12 | +# Remove the default files.log |
| 13 | +Log::remove_default_filter(Files::LOG); |
| 14 | + |
| 15 | + |
| 16 | +Log::add_filter(Files::LOG, [ |
| 17 | + $name = "files-directions", |
| 18 | + $path_func(id: Log::ID, path: string, rec: Files::Info) = |
| 19 | + { |
| 20 | + # What if there are no parents; they are optional |
| 21 | + if (!rec?$tx_hosts || !rec?$rx_hosts) |
| 22 | + return "files_internal"; |
| 23 | + # There are parents but one is missing.. *sniff* |
| 24 | + if (|rec$tx_hosts| == 0 || |rec$rx_hosts| == 0) |
| 25 | + return "files_internal"; |
| 26 | + |
| 27 | + # ok, ignore the edge case, grab the first tx & rx and log it |
| 28 | + # NOTE: there could be more than one tx or rx here |
| 29 | + for (tx in rec$tx_hosts) |
| 30 | + for (rx in rec$rx_hosts) |
| 31 | + { |
| 32 | + local transmitter = Site::is_local_addr(tx); |
| 33 | + local reciever = Site::is_local_addr(rx); |
| 34 | + if(transmitter && reciever) |
| 35 | + return "files_internal"; |
| 36 | + if (transmitter) |
| 37 | + return "files_outbound"; |
| 38 | + else |
| 39 | + return "files_inbound"; |
| 40 | + } |
| 41 | + } |
| 42 | + ]); |
| 43 | +} |
0 commit comments