Bro Quick Start

Bro Quick Start

@ (tutorial) [Bro]

Write in front

Bro the default installation path after installing through the source is/usr/local/bro
Installation through the source can generate a complete document with the Make Doc command
1. Python requires more than 2.5 versions
2. Need to install Sphinx (sudo easy_install Sphinx)
3. Need to install Doxygen (sud apt-get install Doxygen)

Minimum startup configuration

Manage Bro with Brocontrol
Brocontrol is an interactive command-line tool for managing bro under the installation directory: /etc/node.cfg, see the Bro monitoring interface, which is generally only modified with the interface option. /etc/network.cfg, comment out the default settings, add bro cares about the network. /etc/broctl.cfg Modify MailTo Mail recipient,logrotationinterval Change the archive frequency of the log

Start Brocontrol Shell

Broctl

First start of shell, requires initialization of Brocontrol configuration installation

[Brocontrol] > install

Then open a Bro instance

[Brocontrol] > start

If the startup error occurs, view the diag command by entering the
If successful, the Bro instance will begin using the default policy to monitor network traffic and log the logs to the installation directory. In the/logs folder

Stop running by entering stop

[Brocontrol] > stop

It is also recommended to add the following content to Crotab

0-59/5 * * * * $PREFIX/bin/broctl cron

Used to daemon whether the program is running properly

Browse log Files
By default, log files are organized and saved by using tab-delimited columns, readable ASCII format
The current log is saved in the $PREFIX/logs/current/directory, and if Bro is not running, this directory is empty
The log is usually saved by analyzing the network protocol as: timestamp, UID of the connection, source address and port, destination address and port, and protocol details, such as Http.log also saved the Method field, host field, Uri, user_agent and other information
By default, log files are archived and packaged by date, such as $PREFIX/logs/2011-10-06
This archive cycle can be set by the/etc/broctl.cfg in the $PREFIX logrotationinterval

Deployment and Customization
Most bro are deployed to send e-mails to require human intervention and investigation when a network event occurs, but sometimes, in order to expand bro flexibility, developers can use scripting languages to manipulate and analyze data traffic
To create a custom bro first familiarize yourself with the information generated by the default bro, and then adjust or retrofit it to suit a particular situation.

Bro Script
Bro can analyze data traffic for a specific network environment by writing scripts in advance
The default scripts are installed in the $PREFIX/share/bro directory, ending with. Bro, where the script is best not to move.
Other major script directories include base and policy
By default, bro automatically loads the script under the base directory (unless you reassign it using-B)
The script under policy contains more scenarios and requires more overhead, and the user needs to explicitly specify and load it with the use of the
Brocontrol The instance entry used by default is $PERFIX/share/bro/site/local.bro

variables that redefine script options
Redefine variables using Bro's redef operator
Bro recommends using the &redef and Const properties to define variables, redefining the constants looks a bit odd, but it just means that the variable is unchanged during the run, and that the value can be modified and redefined at the time of the analysis.
After modification, you need to execute Check,install, restart to check the script, reinstall and run

Next Step
Continue reading document using Bro, Writing-script
Scripts in policy can be browsed through the overview of script package

use Bro as a command line tool
Use bro to analyze online and offline data directly when you are not using Brocontrol automation and management features

Monitor real-time data

Bro-i eth0 <list of scripts to load>

Log files are saved directly in the current directory

CD  /usr/local/bro/share/site
bro-i eth0 Local

read Pcap format file

First, grab a packet

Tcpdump-i eth0-s 0-w Mypackets.trace

-S 0 Crawl all packets, some versions do not support using-s 65535 instead

Then analyze the packet with the default rules

Bro-r Mypackets.trace

Or if you are interested in more testing, you can load Bro script analysis

Bro-r Mypackets.trace Local

tell bro which scripts to load
A typical command line invokes bro in such a way that:

Bro <options> <policies...>

The final parameter specifies the Bro policy script, which does not require the. Bro, if the dependent script is located in the $PREFIX/share/bro directory, you do not need to specify the script directory
The "load. Bro" definition script in the directory can be used as a package
The following script performs all base analysis and adds ssl_certificate validation

Bro-r Mypacket.trace Protocols/ssl/validate-certs

You may notice that the script uses @load to declare that it relies on other scripts

If you want to load a script in a nondefault directory, you can increase the loaded directory by bropath the environment variable

run bro without installation

./configure
make
source build/bro-path-dev.sh
Bro <option>