[Bro] how to add new event to Bro

Christian Kreibich christian at whoop.org
Thu Apr 7 18:28:02 PDT 2005 

Hi Bing,

On Wed, 2005-04-06 at 17:16 -0400, bchen at cs.ucf.edu wrote:
> Hi all,
>    I am new in Bro. I want to add new events to Bro. These events would occur
> when some statistical parameters cross multiple sessions to an internal
> host/network exceed their thresholds. An example event would be that the number
> of connections made from external hosts to an monitored internal host exceeds
> 100 in last two seconds. Another example event would be that the number of
> Rejected connection requests to my internal network exceeds 200 in last two
> minutes. Any one knows how to create such events?

it all depends on what kinds of events trigger updates to your
statistical parameters, and whether those elementary events already
exist or not. Generally a good way to find existing events is by looking
at src/event.bif, which lists all events the core can trigger. If you
find suitable building blocks in there, you can start with a new policy
script that maintains state through the event handlers for event types
you're interested in. If you cannot find anything suitable (which, at
least for network-based events, is rather unlikely), you might have to
extend the core to support new events to be handled by your policy
scripts.

In your case, the event types connection_attempt() and
connection_rejected() sound ideal. In their respective handlers, you can
maintain connection state in a number of tables to achieve what you
want. When you notice that the rate limits you defined are exceeded, you
can trigger an event "manually" using the event() statement, or just
perform the corresponding action directly in the state-maintaining code.

Have a look at scan.bro for an example of something that is similar what
you want; also check out this thread in the archives:

  http://mailman.icsi.berkeley.edu/pipermail/bro/2005-February/001774.html

Hope this helps.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

More information about the Bro mailing list