[Bro] Bro questions from a rookie

Seth Hall seth at icir.org
Tue Sep 27 06:56:14 PDT 2016 

> On Sep 26, 2016, at 1:08 PM, Alex Hope <alex.hope at shopify.com> wrote:
> 
> Hi! I'm a rookie Bro developer doing an internship. My first task requires me to work with Bro to tidy up how we use Bro to monitor network traffic. I'm trying to use the new_connection event to act as a catch-all for all traffic that doesn't fall into more specific categories. I have three questions:

Great!

> 1. If there is a DNS connection, how do I access that part of the record? If c is the connection, do I simply use 
>   c$dns$query
> and call it a day? So far that hasn't worked for me.

The first thing to know is that c$dns and most of the other protocol specific fields in the connection record are just where logs are stored before being written out.  The other thing is to keep in mind that the log record is built out over based based on seeing different messages.  In the case of DNS, it fills out some fields from the request and some fields from the response.  If you attempt to print c$dns$query at the wrong point in time then it's very possible that the field you're interested in isn't available yet.

> 2. In the event that I can't just use new_connection for everything and then filter my reporting from there, is there a generic "dns_reply" type of event or do I need to use dns_A_reply and dns_AAAA_reply and so on for all DNS replies?

Ah!  This makes your previous question make more sense.  If you try to print c$dns$query in new_connection, it's never going to have anything in it because no query or responses have been seen yet (technically one would have been seen since there's no connection set-up phase with UDP but we'll ignore that for now).  With DNS, you can't use the connection_state_remove event either because you frequently see a lot of requests and responses on a single UDP "connection".

> 3. If I end up running with the various DNS reply events *and* the new_connection event in order to capture "everything else," is there a built-in way to only execute one event response when multiple events are triggered? For example, if I get a DNS A reply, that'll trigger the dns_A_reply event as well as the new_connection event. I'd like to only handle that traffic in the dns_A_reply event and not bother executing the new_connection event. Short of setting up some sort of global "Has already been handled" flag, is there a built-in way to run an event ONLY IF no other events were triggered?

If you're just looking to look at the logs as they're being written you can use the logging event.  Here's the prototype you'd want to handle...

event DNS::log_dns(log: DNS::Info)
	{
	# Your code here!
	}


  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list