[Bro] Question about creating custom conn logs.

Mark Dedlow mtdedlow at lbl.gov
Tue Apr 24 07:45:41 PDT 2007 

Alen,

I'm not a bro expert, just a novice user, but here's what I think.

First, if you have questions about your code, post the code.  It's hard
to tell what exactly you're doing from the description.

You don't need to create an event to do what you want.  Rather, you create
an *event handler*.  Bro generates the events, and runs your handler
at the appropriate time.   For example, here's an event handler
that gets run when a connection is finished, that is, this is a
handler for the built-in 'connection_finished' event.  The handler
receives a single parameter, which is a connection record.

event connection_finished(c: connection) {
     print fmt("conn %s:%d -> %s:%d",
                c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p) ;
}

Print this to a file, and that is a minimal example of a custom
connection logging policy.

(note that in a real app, connection_finished is not the event
you want, since it will not run for a connection that never
finishes explicitly (FIN).  The event connection_state_remove
fires shortly after connection_finished, or when an unfinished
connection is timed out)


As far as logging sequence numbers, keep in mind that connections
are at a different level of abstraction than sequence numbers,
which exist at the packet level.  The bro 'connection' record
has no record of any individual packets.  To get sequence numbers,
you need to write handlers for packet-level events.

Here's an example of a policy that would record the sequence
number of the SYN packet for a connection.  Note that the built-in
event 'new_packet' is passed parameters of connection record and
the packet, so you can correlate packets with connections.

global conns_syn_seq: table[conn_id] of count;

event new_packet(c: connection, p: pkt_hdr) {
     # keep the SYN sequence number
     if ( p$tcp$flags == 2 )
         conns_syn_seq[c$id] =  p$tcp$seq;
}

event connection_finished(c: connection) {
     print fmt("conn %s:%d -> %s:%d (SYNseq#=%d)",
               c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p,
               conns_syn_seq[c$id] );
}


Mark




Alen Capalik wrote:
> Hi all,
> 
> I was wondering if someone can point me in the right direction
> regarding creating custom connection logs in Bro.  I'm sorry in
> advance if this is a question already asked before, but I could not
> find the answer or something remotely close to an answer.  I want to
> add some fields to current conn.<tag>.log files (namely for instance
> tcp sequence numbers) for all tcp connections or I want to create new
> connection log files with new fields.  I have written new function
> (similar to record_connection()) in <hostname>.bro file as well as new
> event calling that function.  The log files get created, but nothing
> is ever logged into them.
> 
> I guess my question would be, how do I create an event calling this
> function that will just record all tcp network traffic into customized
> log files?  I really don't want to do anything special to it, I just
> want to log the traffic with the format I defined in the function.  I
> have been using pkt_hdr, ip_hdr, tcp_hdr, udp_hdr data types from
> bro.init to add additional fields in fmt(). If you can just give me a
> quick format of the event that would do that, it would help
> tremendously, I can do the rest myself.
> 
> I hope this is enough information, if not please let me know.  Thank
> you in advance for any help.
> 
> Regards,
> Alen
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list