> bro ./bro-1.bro
In this exercise, we use Bro's built-in communication system to exchange information. We use again the trace trace-1.pcap for these.
Bro-to-Bro communication. We first exchange events and state information between two Bro instances.
Below you find two Bro configurations. Save them into files bro-1.bro and bro-2.bro, and then run two Bro instances in parallel (in different directories) using the following command lines:
> bro ./bro-1.bro
> bro -r trace-1.pcap --pseudo-realtime=100 ./bro-2.bro
After the second Bro has terminated, you can stop the first with CTRL-C. Examine the output of both instances. Can you explain what the two configurations are doing?
Solution
The second Bro is sending all connection-related events over to the first, which passes them through all the standard event handlers. It therefore produces connection summaries in conn.log even though it is not seeing any network packets itself.
Similar to an earlier exercise, add an event handler to bro-2.bro that counts the number of established TCP connections. Then adapt bro-1.bro so that the receiver prints out the total at the end. Run the two Bros again as above.
Solution
### Add this to bro-1.bro.
global n: count = 0 &synchronized;
event bro_done()
{
print n;
}
### Add this to bro-2.bro.
global n: count = 0 &synchronized;
event connection_established(c: connection)
{
++n;
}
###
> bro ./bro-1.bro > bro -r trace-1.pcap --pseudo-realtime=100 ./bro-2.bro [CTRL-C for the first when the second has finished.] 1233361503.962956 received termination signal 126
Injecting external data. The Bro distribution comes with a command-line client, bro-pipe, that injects arbitrary data into a running Bro instance via the Broccoli communication library. We will now use this program to feed Bro with syslog information.
bro-pipe is not built by default. Do the following to install it into /usr/local/bin (or anywhere else along your PATH):
cd /path/to/bro/distribution/aux/broccoli/contrib g++ -o bropipe bropipe.cc `broccoli-config --cflags` `broccoli-config --libs` cp bropipe /usr/local/bro/bin
(If broccoli-config is not found, you probably don't have the installation's bin directory in your PATH. Try giving the full path to broccoli-config. If you get errors about linking with OpenSSL, try adding -lssl to the command line.)
bro-pipe turns the lines of a specifically formatted ASCII file into Bro events, which it then sends over to a running Bro instance. We have prepared an input file syslog.bro-pipe, containing an excerpt of an actual syslog file that we turned into bro-pipe format. (See Scott's page for more information about the format.). For each line of this file, bro-pipe will send one ssh_fail_login event to Bro.
Extend the skeleton below to count the number of ssh_fail_login events triggered by each source IP and generate an alarm for any host showing more than 5 failures.
Now use bro-pipe to send the data from syslog.bro-pipe: run a Bro with your script, and start bro-pipe as follows:
> bropipe -p 47757 -f syslog.bro-pipe
Solution
The completed script syslog.bro. This is the added event handler:
global sources: table[addr] of count &default=0 ;
event ssh_fail_login(ts:double, orig_h:addr, resp_h:addr, account:string, auth_type:string)
{
if ( ++sources[orig_h] == max_failures )
NOTICE([$note=SSHLoginFail, $src=orig_h,
$msg=fmt("%s exceeded %d failed SSH logins", orig_h, max_failures)]);
}
> bro-1.4 ./syslog.bro > bro-1.4/bin/bropipe -p 47757 -f syslog.bro-pipe 1233363715.493141 SSHLoginFail <127.0.0.1:64797/tcp> 81.68.198.23 exceeded 5 failed SSH logins 1233363715.496814 SSHLoginFail <127.0.0.1:64797/tcp> 69.13.46.102 exceeded 5 failed SSH logins 1233363715.497786 SSHLoginFail <127.0.0.1:64797/tcp> 131.243.64.203 exceeded 5 failed SSH logins 1233363715.501305 SSHLoginFail <127.0.0.1:64797/tcp> 80.55.184.58 exceeded 5 failed SSH logins
.