[Bro-Dev] #273: "read" command in broctl

Bro Tracker bro at tracker.icir.org
Mon Apr 11 14:50:12 PDT 2011


#273: "read" command in broctl
------------------------------+-------------------
  Reporter:  seth             |      Owner:
      Type:  Feature Request  |     Status:  seen
  Priority:  Normal           |  Milestone:
 Component:  BroControl       |    Version:  1.5.1
Resolution:                   |   Keywords:
------------------------------+-------------------

Comment (by will):

 Expounding upon what is already here, I would suggest the following
 functionality be added to Broctl.

 {{{
 usage: broctl [options] [file ...]
 <file>                            |policy file, or stdin
 -r|read |--readfile <readfile>    |reads from given tcpdump file
 -t|trace|--tracefile <tracefile>  |activate execution tracing
 -d|debug|--debug-policy           |activate policy file debugging

 [BroControl] > -t execfile -r /data/badness.pcap local.policy.bro

 }}}

 The above would create log file for anything called by the
 local.policy.bro script. The execfile would contain executed tracing of
 the entire process used by broctl to include the use of broctl scripts.

 {{{
 cat execfile |less
 0.000000 /usr/local/bro/share/bro/bro.init:303  function called:
 open_log_file(tag = 'alarm')
 0.000000 /usr/local/bro/share/bro/bro.init:298          function called:
 log_file_name(tag = 'alarm')
 0.000000 /usr/local/bro/share/bro/bro.init:297                  Builtin
 Function called: getenv(var = 'BRO_LOG_SUFFIX')
 0.000000 /usr/local/bro/share/bro/bro.init:297                  Function
 return:
 0.000000 /usr/local/bro/share/bro/bro.init:298                  Builtin
 Function called: fmt(va_args = '%s.%s', vararg0 = 'alarm', vararg1 =
 'log')
 0.000000 /usr/local/bro/share/bro/bro.init:298                  Function
 return: alarm.log
 0.000000 /usr/local/bro/share/bro/bro.init:298          Function return:
 alarm.log
 0.000000 /usr/local/bro/share/bro/bro.init:303          Builtin Function
 called: open(f = 'alarm.log')
 0.000000 /usr/local/bro/share/bro/bro.init:303          Function return:
 file "alarm.log" of string
 [...truncated]
 }}}

 Example of logs files created (this would obviously depend completely upon
 configuration of local.policy.bro)

 {{{
 drwx------  3 root  wheel      512 Apr 11 17:35 .state
 -rw-r--r--  1 root  wheel      222 Apr 11 17:35 alarm.log
 -rw-r--r--  1 root  wheel  5476223 Apr 11 17:35 badness
 -rw-r--r--  1 root  wheel   390608 Apr 11 15:54 badness.pcap
 -rw-r--r--  1 root  wheel     1118 Apr 11 17:35 conn.log
 -rw-r--r--  1 root  wheel       92 Apr 11 17:35 ftp-ext.log
 -rw-r--r--  1 root  wheel        0 Apr 11 17:35 ftp.log
 -rw-r--r--  1 root  wheel       92 Apr 11 17:35 http-client-body.log
 -rw-r--r--  1 root  wheel      344 Apr 11 17:35 http-ext-identified-
 files.log
 -rw-r--r--  1 root  wheel     1595 Apr 11 17:35 http-ext.log
 -rw-r--r--  1 root  wheel       16 Apr 11 17:35 http-user-agents.log
 -rw-r--r--  1 root  wheel    33593 Apr 11 17:35 http.log
 -rw-r--r--  1 root  wheel        0 Apr 11 17:35 known-hosts.log
 -rw-r--r--  1 root  wheel        0 Apr 11 17:35 known-services.log
 -rw-r--r--  1 root  wheel      472 Apr 11 17:35 notice.log
 -rw-r--r--  1 root  wheel        0 Apr 11 17:35 null.log
 -rw-r--r--  1 root  wheel    10025 Apr 11 17:35 prof.log
 -rw-r--r--  1 root  wheel        0 Apr 11 17:35 signatures.log
 -rw-r--r--  1 root  wheel      225 Apr 11 17:35 weird.log
 }}}

-- 
Ticket URL: <http://tracker.icir.org/bro/ticket/273#comment:3>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list