In this exercise, we use Bro's built-in communication system to exchange information. We use again the trace trace-1.pcap for these.

  1. Bro-to-Bro communication. We first exchange events and state information between two Bro instances.

    1. Below you find two Bro configurations. Save them into files bro-1.bro and bro-2.bro, and then run two Bro instances in parallel (in different directories) using the following command lines: 

      > bro ./bro-1.bro
      > bro -r trace-1.pcap --pseudo-realtime=100 ./bro-2.bro

      After the second Bro has terminated, you can stop the first with CTRL-C. Examine the output of both instances. Can you explain what the two configurations are doing?

    2. Similar to an earlier exercise, add an event handler to bro-2.bro that counts the number of established TCP connections. Then adapt bro-1.bro so that the receiver prints out the total at the end. Run the two Bros again as above.

  2. Injecting external data. The Bro distribution comes with a command-line client, bro-pipe, that injects arbitrary data into a running Bro instance via the Broccoli communication library. We will now use this program to feed Bro with syslog information.

    1. bro-pipe is not built by default. Do the following to install it into /usr/local/bin (or anywhere else along your PATH): 

      cd /path/to/bro/distribution/aux/broccoli/contrib
g++ -o bropipe bropipe.cc `broccoli-config --cflags` `broccoli-config --libs`
cp bropipe /usr/local/bro/bin

      (If broccoli-config is not found, you probably don't have the installation's bin directory in your PATH. Try giving the full path to broccoli-config. If you get errors about linking with OpenSSL, try adding -lssl to the command line.)

    2. bro-pipe turns the lines of a specifically formatted ASCII file into Bro events, which it then sends over to a running Bro instance. We have prepared an input file syslog.bro-pipe, containing an excerpt of an actual syslog file that we turned into bro-pipe format. (See Scott's page for more information about the format.). For each line of this file, bro-pipe will send one ssh_fail_login event to Bro.

      Extend the skeleton below to count the number of ssh_fail_login events triggered by each source IP and generate an alarm for any host showing more than 5 failures.

      Now use bro-pipe to send the data from syslog.bro-pipe: run a Bro with your script, and start bro-pipe as follows:

      > bropipe -p 47757 -f syslog.bro-pipe

      .

Skeletons for (1a)
### Configuration for the first Bro, the receiver. (bro-1.bro)
@load tcp
@load listen-clear
@load remote
# Configure this Bro to listen for a remote client, subscribing to
# connection_established() events as well as synchronizing state.
redef Remote::destinations += {
  ["other-bro"] = [$host = 127.0.0.1, $events = /.*connection.*/,
                   $sync=T, $connect=F]
};
### Configuration for the second Bro, the sender.  (bro-2.bro)
@load tcp
@load remote
# Configure this Bro to listen for a remote client, subscribing to
# connection_established() events as well as synchronizing state.
redef Remote::destinations += {
  ["other-bro"] = [$host = 127.0.0.1, $sync=T, $connect=T]
};
Skeleton for (2b)
@load listen-clear
@load remote
@load notice
module SyslogSSH;
export {
    # Alert threshold per source.
    const max_failures = 5 &redef;
}
redef Remote::destinations += {
    ["syslog"] = [$host = 127.0.0.1, $events = /ssh_.*/, $connect=F],
};
redef enum Notice += {
    SSHLoginFail
};
event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
    {
    ### Insert code here.
    }