Exercise 5: Bro Communication

Input files: trace1.tcpdump, and syslog.broccoli

Start with the script from Exercise 2c.

a) run two Bros, 1 with no trace file, and send all new_connection and connection_established events from one Bro to the other.

First start 'slave' Bro: bro --pseudo-realtime=20 (list of policy files)

Then start 'master' Bro: bro -r trace1.tcpdump --pseudo-realtime=20 (list of policy files)

Then ^C 'slave' Bro, and compare results with the output of the 'master' Bro.

Note: Look at remote.log results to see Bro to Bro communication

Hint: create files master.bro and slave.bro containing the required redef for Remote::destinations

b) same as (a), but use the &sychronized attribute instead of exchanging events. Also, count the total number of remote hosts seen both both Bros using the 'size' operator (e.g.: num_hosts = |host_table| )

c) Broccoli exercise:

Use broclient to send sample sshd logs that have been converted to Broccoli events to bro. Write a routine to count the number of failed ssh logins per host, and generate an alarm if there are more than 5 failures.

broclient is found in aux/broccoli/contrib, and is not built by default. To install, do the following:

cd aux/broccoli/contrib
g++ -o broclient broclient.cc `broccoli-config --cflags` `broccoli-config --libs`
cp broclient /usr/local/bro/bin

Then send events to bro as follows:

cat syslog.broccoli | broclient