[Bro] First use of Bro

Ben Rosenberg scdlbx at gmail.com
Tue Jul 13 19:39:14 PDT 2010 

Hi,

I've recently begun using Bro and have found it to be a very interesting
tool to work with. I have started poking around some of the scripts and
trying a few of the exercises in the slides from the 2009 Bro workshop. So
far everything is working well.
I have created a few patches to fix small problems I had or add features
that I was looking for. I have attached these patches so that others can use
them if they find them useful. I am working off of svn build 7050. Here are
the list of changes I have made so far:

- Patched main.cc to add the -N command line flag. This effectively enables
BRO_FAKE_DNS for that run. I think this is more useful than using an
environment variable because the flags are listed in the command line help,
and it makes it easier to change from run to run without manipulating
environment variables.

- Removed duplicate login_non_failure_msgs from policy/login.bro. The same
block was listed twice, one with &redef and the other without. Seemed
superfluous.

- Commented out example in policy/scan.bro. It doesn't seem like making the
example value live added any value, and could possibly cause problems.

- Edited policy/ssh.bro to print what port is being used for ssh servers.
Also changed the data structure that tracks the servers to allow for
multiple ssh servers on the same system. I found this useful when using dpd.

- Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports.

- Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer
tree, so that when using dpd.ssh.bro, ssh servers running on any tcp port
are detected.

There are still some more features I plan to work on. Depending on how
difficult it would be, I want to add the ability to hook an analyzer into
the analyzer tree via script, so that the source doesn't need to be edited
for each. Or so that functionality could be toggled on or off depending on
need.
I also started to convert the 6000+  Nmap service probe signatures into dpd
signatures. I have an initial list, but a lot of the Nmap regexs cause
problems with Bro. I am going to try to clean those up so that they can be
useable with Bro.
For the scripts that send packets, such as terminate-connection.bro and the
scripts that load it, I want to rewrite them so they can run in either
Active or Passive mode. In Passive mode they wouldn't send any packets,
which would be the default behavior. I know that currently the default
behavior is similar to this, but being able to designate individual scripts
to be active or passive, or knowing for sure that all scripts are being
passive could be useful and allow for more control.

I have a few more simple ideas that I will try to get working, and I will
probably think of more as I experiment more with Bro. Any feedback would be
greatly appreciated. Thanks for making such a great tool, using it has been
very fun and interesting so far and I hope to learn more from it.


Thanks,
Ben Rosenberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.cc.patch
Type: text/x-patch
Size: 1429 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login.bro.patch
Type: text/x-patch
Size: 549 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scan.bro.patch
Type: text/x-patch
Size: 355 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dpd.ssh.bro
Type: application/octet-stream
Size: 57 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DPM.cc.patch
Type: text/x-patch
Size: 644 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0003.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh.bro.patch
Type: text/x-patch
Size: 1238 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100713/1922cfcc/attachment-0004.bin

More information about the Bro mailing list