Writing Event Handlers

We now turn to writing custom event handlers. The template below offers some empty handlers as a starting point. Pick the ones you need for each subtask and fill in the appropiate script code. Then run Bro again on the trace trace-1.pcap with your custom handlers. In this exercise, all hosts in 10.20.11.0/24 and 10.20.12.0/24 are again considered local hosts.

1. Write a Bro script that prints the two IP addresses of all fully established TCP connections to standard output. How many (non-unique) pairs does it print?

   Solution

   > cat myhandlers.bro
   event connection_established(c: connection)
       {
       local orig = c$id$orig_h;
       local resp = c$id$resp_h;
       print orig, resp;
       }

   > bro -r trace-1.pcap tcp weird alarm ./myhandlers.bro ./mysite.bro | wc -l
   126

2. Write a Bro script that counts the number of established TCP connections and prints the total at Bro's termination.

   Solution

   > cat myhandlers.bro
   global n: count = 0;

   event connection_established(c: connection)
       {
       ++n;
       }

   event bro_done()
       {
       print n;
       }

   > bro -r trace-1.pcap tcp weird alarm ./myhandlers.bro ./mysite.bro
   126

3. Write a Bro script that prints the 4-tuple of hosts/ports for the first connection established by each originating host.

   Solution

   > cat myhandlers.bro
   global hosts: set[addr];

   event connection_established(c: connection)
       {
       local orig = c$id$orig_h;

       if ( orig in hosts )
           return;

       add hosts[orig];
       print c$id;
       }

   > bro -r trace-1.pcap tcp weird alarm ./myhandlers.bro ./mysite.bro
   [orig_h=10.20.12.187, orig_p=45561/tcp, resp_h=207.126.127.69, resp_p=80/tcp]
   [orig_h=10.20.1.32, orig_p=1072/tcp, resp_h=128.104.18.148, resp_p=2064/tcp]
   [...]

4. Write a Bro script that counts the number of connections established by each local host and prints the totals at termination.

   Solution

   > cat myhandlers.bro
   global hosts: table[addr] of count &default=0;

   event connection_established(c: connection)
       {
       local orig = c$id$orig_h;

       if ( ! is_local_addr(orig) )
           return;

       ++hosts[orig];
       }

   event bro_done()
       {
       for ( h in hosts )
           print h, hosts[h];
       }

   > bro -r trace-1.pcap tcp weird alarm ./myhandlers.bro ./mysite.bro
   10.20.11.169, 4
   10.20.12.187, 67

5. Write a Bro script that reports a NOTICE when more than 10 of a remote host's connections are rejected.

   Solution

   >cat myhandlers.bro
   redef enum Notice += { ManyConnsRejected };

   global hosts: table[addr] of count &default=0;

   event connection_rejected(c: connection)
       {
       local orig = c$id$orig_h;

       if ( is_local_addr(orig) )
           return;

       if ( ++hosts[orig] == 11 )
           NOTICE([$note=ManyConnsRejected, $msg=fmt("More than 10 connections from %s rejected", orig), $conn=c]);
       }

   > bro -r trace-1.pcap tcp weird alarm ./myhandlers.bro ./mysite.bro
   > cat alarm.log
   964954101.989580 ManyConnsRejected More than 10 connections from 10.99.34.3 rejected

.

  # Generated for each established TCP connection (i.e., full handshake seen).
event connection_established(c: connection)
    {
    ### Insert code here.
    }

  # Generated for each rejected TCP connection (i.e., _SYN_ answered with _RST_).
event connection_rejected(c: connection)
    {
    ### Insert code here.
    }

  # Generated once just before Bro terminates.
event bro_done()
    {
    ### Insert code here.
    }

  # A global variable of type "count" (i.e., an unsigned integer).
global n: count = 0;

  # A global set of addresses.
global hosts: set[addr];

  # A global table mapping addresses to counts.
global hosts: table[addr] of count;

## Raising a custom Notice.

  # Define new Notice type called "MyNotice".
redef enum Notice += { MyNotice };

  # Raise the notice, indicating it was triggered by connection "conn".
NOTICE([$note=MyNotice, $msg="text", $conn=c]);