bro scripts
play

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: - PowerPoint PPT Presentation

Dec 13, 2022 •154 likes •292 views

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. Exercise: find your way around in the training VM. Block 2: Bro-logs, network logs. Introduction on

  1. Bro Scripts The Bro Monitoring Platform

  2. Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. • Exercise: find your way around in the training VM. • Block 2: Bro-logs, network logs. • Introduction on logs in Bro. • Exercise: use Bro logs to find the attack. Block 3: Working with Bro scripts. Exercise: access and use included and external • scripts. 2 The Bro Monitoring Platform

  3. Block 3 Outline • Using included scripts • Working with external scripts • First glimpse on the Bro scripting language 3 The Bro Monitoring Platform

  4. Objectives for this block • Being able to find and include Bro scripts • Get familiar with the different sources of Bro scripts • Understand the basics of the Bro scripting language 4 The Bro Monitoring Platform

  5. Scripts are Bro’s “Magic Ingredient” Bro comes with >10,000 lines of script code. Prewritten functionality that’s just loaded. Scripts generate everything we have seen. Amendable to extensive customization and extension. Growing community writing 3rd party scripts. Bro could report Mandiant’s APT1 indicators within a day. 5 The Bro Monitoring Platform

  6. How to tell Bro which scripts to load Where (standard scripts) <prefix>/share/bro load scripts within a script @load <path-to-script> from the command line bro <options> <scripts...> Documentation: http://www.bro.org/sphinx/scripts/index.html 6 The Bro Monitoring Platform

  7. Script directory walk through • base/ • Everything loaded by default. Scripts meant to: • enable analyzers, collect state, generate protocol logs, provide reusable frameworks and function libraries. • base/ is not in the default $BROPATH! • policy/ • Not loaded by default. • Place for scripts that not everyone may want to load. • Pick and choose. • site/ • Location for local configuration. • No overwrite during installation. • BroControl loads site/local.bro as top-level site script. 7 The Bro Monitoring Platform

  8. script example: policy/misc/capture-loss export module CaptureLoss; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## Report if the detected capture loss exceeds the percentage ## threshold. Too_Much_Loss }; type Info: record { ## Timestamp for when the measurement occurred. ts: time &log; ## The time delay between this measurement and the last. ts_delta: interval &log; ## In the event that there are multiple Bro instances logging ## to the same host, this distinguishes each peer with its ## individual name. peer: string &log; ## Number of missed ACKs from the previous measurement interval. gaps: count &log; ## Total number of ACKs seen in the previous measurement interval. acks: count &log; ## Percentage of ACKs seen where the data being ACKed wasn't seen. percent_lost: double &log; }; ## The interval at which capture loss reports are created. const watch_interval = 15mins &redef; ## The percentage of missed data that is considered "too much" ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. const too_much_loss: double = 0.1 &redef; } 8 The Bro Monitoring Platform

  9. script example: policy/misc/capture-loss export module CaptureLoss; export { … ## The interval at which capture loss reports are created. const watch_interval = 15mins &redef; ## The percentage of missed data that is considered "too much" ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. const too_much_loss: double = 0.1 &redef; } 9 The Bro Monitoring Platform

  10. script example: policy/misc/capture-loss export module CaptureLoss; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## Report if the detected capture loss exceeds the percentage ## threshold. Too_Much_Loss }; 10 The Bro Monitoring Platform

  11. script example: policy/misc/capture-loss module CaptureLoss; export { … type Info: record { ## Timestamp for when the measurement occurred. ts: time &log; ## The time delay between this measurement and the last. ts_delta: interval &log; ## In the event that there are multiple Bro instances logging ## to the same host, this distinguishes each peer with its ## individual name. peer: string &log; ## Number of missed ACKs from the previous measurement interval. gaps: count &log; ## Total number of ACKs seen in the previous measurement interval. acks: count &log; ## Percentage of ACKs seen where the data being ACKed wasn't seen. percent_lost: double &log; }; … } 11 The Bro Monitoring Platform

  12. Bro script resources 12 The Bro Monitoring Platform

  13. Using External Scripts Demo 13 The Bro Monitoring Platform

Recommend

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

298 views • 15 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

794 views • 40 slides
scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29,

scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29,

Services Backend Further Info scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29, 2019 Quentin Smith scripts@mit.edu scripts.mit.edu Services Backend Further Info Outline Services 1 Web Mail

897 views • 42 slides
perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post process scripts 2 PERF SCRIPTS | JIRI OLSA COUNTING perf stat CPU 0 CPU 1 CPU 2 start $ perf stat -e ' cycles,instructions ' WORKLOAD

1.2k views • 59 slides
Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29 Outline Advantages/disadvantages of Python Running a parameter scan example Command line arguments Working with filesystem paths Working with

554 views • 29 slides
Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction www.kloster-seeon.de 2 Outline 1. Internal collaboration scripts 2. External collaboration scripts 3 Internal collaboration scripts What they are play

247 views • 24 slides
Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real Estate Agents Learn the listing presentation scripts and dialogues that top agents use in listing consultations to list more homes for sale. An

325 views • 4 slides
COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello World Shebang! Example Project Introducing Variables Variable Names Variable Facts Arguments Exit Status Branching:

526 views • 36 slides
What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode Simple and consistent manner Developer Workshop Alphabetic, syllabic and ideographic scripts Version 4.0 Muthu Nedumaran 50,000

686 views • 4 slides
Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May 18, 2018 1 / 11 Mimblewimble and Scriptless Scripts Mimblewimble, proposed in 2016 by Tom Elvis Jedusor No scripts, only signatures. What

509 views • 11 slides
SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements Grouped into batches Batches are executed when a GO statement is hit Why are these batches necessary? Certain commands cannot be

452 views • 21 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER 2017 Overview Google Apps Scripts Overview Google Apps Scripts A scripting language based on JavaScript that lets you automate actions with

268 views • 15 slides
E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come many ways telephone fax e-script paper Not allowed for scheduled meds E-Scripts Workflow Script shows on Work queue

95 views • 6 slides
Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational momentum against sharing? Difficulty in making scripts generally applicable? Difficulty in discovery and installation? We can solve this one!

484 views • 23 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings

Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings

Jonathan Shaw How does Fable use Lua? AI Quest scripts Camera Start-up settings Miscellaneous scripts Debugging Patching A (very) brief history The original Fable used C++ as its scripting language, using

449 views • 29 slides
CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source

CS 377 MySQL/PHP Tutorial Connect from PHP Scripts MySQL is currently the most popular open source database server in existence. On top of that, it is very commonly used in conjunction with PHP scripts to create powerful and dynamic server-side

92 views • 5 slides
Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101

Bro scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA Zeek scripts - 101 to 595 in 45 mins Aashish Sharma UNIVERSITY OF CALIFORNIA &quot;Bringing Science Solutions to the World&quot; Hundreds of University

873 views • 66 slides
Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R

Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R

Intro Static Parser for Shell Statistical Analysis of Scripts Findings Conclusion Mining Debian Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Yann R egis-Gianas IRIF, Universit e Paris-Diderot July 31, 2018

581 views • 41 slides
Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi

Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi

Monitoring and Logging R Scripts in Production https://daroczig.github.io/logger Gergely Daroczi Directions in Statistical Computing September 19, 2019 About me (using R for production) 2006: calling R scripts from PHP (both reading from

762 views • 60 slides
Oracle Database Audit Scripts, Privacy &amp; Security considerations Challenge: Forensic analysis

Oracle Database Audit Scripts, Privacy &amp; Security considerations Challenge: Forensic analysis

Oracle Database Audit Scripts, Privacy &amp; Security considerations Challenge: Forensic analysis of license French case law concluded that that Oracle's scripts are scripting much more data than what is legally relevant usage on Oracle

117 views • 9 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Welcome. There are many kinds of written scripts. Some are alphabetic. Some are alphabetic -- but

Welcome. There are many kinds of written scripts. Some are alphabetic. Some are alphabetic -- but

Welcome. There are many kinds of written scripts. Some are alphabetic. Some are alphabetic -- but they use very different methods to display sounds. IMAGE SOURCE: http://commons.wikimedia.org/wiki/File:Chart_of_world_writing_systems.svg Pauline

672 views • 21 slides

More recommend