[Bro] Howto

Seth Hall seth at icir.org
Thu Jul 21 09:13:45 PDT 2011 

On Jul 21, 2011, at 10:16 AM, Martin Holste wrote:

> Every year, at least once a year, I make an honest effort to implement
> Bro and to start taking advantage of its advanced capabilities.  Each
> year, I spend a few hours on it and give up.

Unfortunately Bro has never been at a sufficient point to spend a few hours and start getting great results, it typically takes a lot more time and effort.  We're working hard to change that though.

> I want this year to be different.  

Great to hear Martin!

> How do I write a policy to detect when an SSL connection has a
> certificate which was created less than 30 days ago (not_valid_before 30 days ago)?

These will only work in the git master and we'll likely have some sort of notice for this situation for the release, but it's pretty easy and there are a couple of ways of doing it.

If you want to do it through the new logging framework...

@load protocols/ssl
event SSL::log_ssl(rec: SSL::Info)
	{
	if ( rec$not_valid_before > network_time() - 60*60*24*30 )
		{
		print fmt("%s is using a certificate that was created %d days ago", 
			rec$id$resp_h, (network_time()-rec$not_valid_before) / (60*60*24));
		}
	}

That code above doesn't output to the logging framework or the notice framework, but I wanted to pare it down to the bare minimum to demonstrate how easy that is.  If you want to use the actual internal SSL events, you can do this...

@load protocols/ssl
event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string)
	{
	# The entire certificate chain is presented to us here but we only want chain_idx==0 because that's the actual host certificate.
	if ( chain_idx != 0 )
		return;

	if ( cert$not_valid_before > network_time() - 60*60*24*30 )
		{
		print fmt("%s is using a certificate that was created %d days ago", 
			c$id$resp_h, (network_time()-cert$not_valid_before) / (60*60*24));
		}
	}

Please send along more concrete examples of tasks you'd like to complete.  Those are the kinds of questions I really like. :)

> How do I send arbitrary connection data to an external program and
> receive information back from it (and I need something more detailed
> than "use broccoli")?


Heh, the reason you've always gotten that answer is that that's a bit more complicated that we all wish it was.  If you could give me an example of what you are aiming to do here I may be able to give a good answer of either how to do it or make sure that it's possible soon.

We've begun defining a companion input framework to go along with the logging framework but it's still very early and we haven't begun writing any code for it yet (IOW, definitely not in the next release).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

More information about the Bro mailing list