Bro
GenericClient 0.2
Description
The bro GenericClinet is a tool that takes a formatted input stream and
creates legitimate bro events that can then be sent to a running
bro instance. It can be used to process regular text logs, such
as syslog or web logs and pass them via serialized objects to a bro
collector for analysis. Behavior of the software can be
controlled via the usual Broccoli mechanisms, or via command line
options.
There currently are two forms to the client. The first (and most
basic) is one that is based on a command line model - you hand it a
single line of input, and it connects to the bro instance. For
example you might do:
./broclient sample_event
addr=10.10.10.10 string=true ...
which would pass the event 'sample_event' to the default bro
instance on localhost, with the event arguments described in the
remaining arguments to broclinet. This might be useful when used
with scripts that are not run often, or when you might not have a well
defined situation such as testing.
Command line options for broclient are:
-d
debug (multiple times ok)
-h/? help message
-p port to connect to (see below)
with host and port options being defined via:
broclient
[-p port=47757] [host=127.0.0.1]
with the above port and IP being the default values.
The second version uses a local named pipe in order to facilitate
larger volumes of data. The advantage here is that a
single connection is made between the client and the bro instance that
it is talking with, and data can be processed without the burden of a
buildup or teardown. The operation of this is more like a daemon
than a single command. In this case, a pipe file is created in
the same directory that the command is run named
'brocsock'. For the same functionality described above, you
might issue the command:
echo "sample_event addr=10.10.10.10
string=true ..." > ./brocsock
Typically you would use something like a perl script to process the
text records into the appropriate form for broccoli processing.
It should be noted that there is no real reason to assume that text
files need be used. They are most common, but there is no reason
why binary data could not be parsed and evaluated.
Command line operation is identical with the broclient software.
Note that for both of these applications there is little in the way of
error checking being done here,
so it would be wise to understand the limitations of the code before it
is implemented in any non-experimental way.
Default Data Types
| Type |
Type tag |
Argument to Use
|
| Boolean |
BRO_TYPE_BOOL |
bool= (can use T|TRUE|1 == true)
|
| Integer value |
BRO_TYPE_INT |
int= |
| Counter (nonnegative integers) |
BRO_TYPE_COUNT |
count=
|
| Floating-point number |
BRO_TYPE_DOUBLE |
double= |
| Timestamp |
BRO_TYPE_TIME |
time=
|
| Time interval |
BRO_TYPE_INTERVAL |
interval=
|
| Strings (text and binary) |
BRO_TYPE_STRING |
string= |
| Network ports |
BRO_TYPE_PORT |
port= (EX: port=1234/tcp)
|
| IPv4 address |
BRO_TYPE_IPADDR |
addr=
|
| IPv4 network |
BRO_TYPE_NET |
net=
|
| IPv4 subnet |
BRO_TYPE_SUBNET |
subnet=
(EX: subnet=10.10.10.0/24)
|
Processing on the Bro Side
To accept an event from a remote sensor, two things must be done.
First, the bro instance must be told to accept connections and ideally
specific event types from a given sensor. The modifications
should look something like:
redef
Remote::destinations += {
["syslogclient"] = [$host = 10.11.12.13, $events = /.*/, $connect=F,
$retry = 60 secs, $ssl=T]
};
which will allow any event type from host 10.11.12.13 . It is
highly recommended that SSL be used between sensor instances and the
analyzer bro as is configured in this case. Once this is
configured, you only need to describe the event type in a local policy
file. For example:
event
foo(b: bool, a: addr)
{
local S:string
= fmt("Address %s is %s", a, b);
print(S);
}
is a nonsence event that might be accessed via:
echo
"foo bool=T addr=1.2.3.4" > ./brocsock
or
./broclient
foo bool=T addr=1.2.3.4
Download
For the 'broclient' software:
BROCLIENT 0.1
For the 'bropipe' software:
BROPIPE 0.2
Contact me for sample policy code. The most significant bit is a
(ssh) login analyzer which I would be happy to post if there is
any interest in it.
Powered by Broccoli