[Bro-Dev] #273: "read" command in broctl
Bro Tracker
bro at tracker.icir.org
Mon Apr 11 14:50:12 PDT 2011
#273: "read" command in broctl
------------------------------+-------------------
Reporter: seth | Owner:
Type: Feature Request | Status: seen
Priority: Normal | Milestone:
Component: BroControl | Version: 1.5.1
Resolution: | Keywords:
------------------------------+-------------------
Comment (by will):
Expounding upon what is already here, I would suggest the following
functionality be added to Broctl.
{{{
usage: broctl [options] [file ...]
<file> |policy file, or stdin
-r|read |--readfile <readfile> |reads from given tcpdump file
-t|trace|--tracefile <tracefile> |activate execution tracing
-d|debug|--debug-policy |activate policy file debugging
[BroControl] > -t execfile -r /data/badness.pcap local.policy.bro
}}}
The above would create log file for anything called by the
local.policy.bro script. The execfile would contain executed tracing of
the entire process used by broctl to include the use of broctl scripts.
{{{
cat execfile |less
0.000000 /usr/local/bro/share/bro/bro.init:303 function called:
open_log_file(tag = 'alarm')
0.000000 /usr/local/bro/share/bro/bro.init:298 function called:
log_file_name(tag = 'alarm')
0.000000 /usr/local/bro/share/bro/bro.init:297 Builtin
Function called: getenv(var = 'BRO_LOG_SUFFIX')
0.000000 /usr/local/bro/share/bro/bro.init:297 Function
return:
0.000000 /usr/local/bro/share/bro/bro.init:298 Builtin
Function called: fmt(va_args = '%s.%s', vararg0 = 'alarm', vararg1 =
'log')
0.000000 /usr/local/bro/share/bro/bro.init:298 Function
return: alarm.log
0.000000 /usr/local/bro/share/bro/bro.init:298 Function return:
alarm.log
0.000000 /usr/local/bro/share/bro/bro.init:303 Builtin Function
called: open(f = 'alarm.log')
0.000000 /usr/local/bro/share/bro/bro.init:303 Function return:
file "alarm.log" of string
[...truncated]
}}}
Example of logs files created (this would obviously depend completely upon
configuration of local.policy.bro)
{{{
drwx------ 3 root wheel 512 Apr 11 17:35 .state
-rw-r--r-- 1 root wheel 222 Apr 11 17:35 alarm.log
-rw-r--r-- 1 root wheel 5476223 Apr 11 17:35 badness
-rw-r--r-- 1 root wheel 390608 Apr 11 15:54 badness.pcap
-rw-r--r-- 1 root wheel 1118 Apr 11 17:35 conn.log
-rw-r--r-- 1 root wheel 92 Apr 11 17:35 ftp-ext.log
-rw-r--r-- 1 root wheel 0 Apr 11 17:35 ftp.log
-rw-r--r-- 1 root wheel 92 Apr 11 17:35 http-client-body.log
-rw-r--r-- 1 root wheel 344 Apr 11 17:35 http-ext-identified-
files.log
-rw-r--r-- 1 root wheel 1595 Apr 11 17:35 http-ext.log
-rw-r--r-- 1 root wheel 16 Apr 11 17:35 http-user-agents.log
-rw-r--r-- 1 root wheel 33593 Apr 11 17:35 http.log
-rw-r--r-- 1 root wheel 0 Apr 11 17:35 known-hosts.log
-rw-r--r-- 1 root wheel 0 Apr 11 17:35 known-services.log
-rw-r--r-- 1 root wheel 472 Apr 11 17:35 notice.log
-rw-r--r-- 1 root wheel 0 Apr 11 17:35 null.log
-rw-r--r-- 1 root wheel 10025 Apr 11 17:35 prof.log
-rw-r--r-- 1 root wheel 0 Apr 11 17:35 signatures.log
-rw-r--r-- 1 root wheel 225 Apr 11 17:35 weird.log
}}}
--
Ticket URL: <http://tracker.icir.org/bro/ticket/273#comment:3>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list