This document provides instructions and information for using the Bro network security monitor and its associated tools. It discusses installing Bro from source and describes Bro's architecture and event-based model. It also explains how to use Bro tools like BroControl and inspect Bro logs. The document outlines how to write Bro scripts and filter network traffic. It demonstrates reading pcap files with Bro and communicating with Bro using the Broccoli library.
Docker Practice for beginner.
- docker install on ubuntu 18.04 LTS
- docker pull/push
- making docker-compose file which serving spring-boot+ mySql application
Docker Practice for beginner.
- docker install on ubuntu 18.04 LTS
- docker pull/push
- making docker-compose file which serving spring-boot+ mySql application
A Journey to Boot Linux on Raspberry PiJian-Hong Pan
Each processor/chip architecture has its own procedure to boot the kernel. It works with desgined partition layout and vendor specific firmwares/bootloaders in the boot partition. We can learn the related knowledge from the Raspbian image for Raspberry Pi, which is the board we can obtain easily. However, the diversity between the special booting procedures with specific firmwares/bootloaders increases the complexity for distribution maintainers. It will be great if there is a way to make it more generic that can be applied to most of the chip architectures/boards to boot up the system.
After referring to some Linux distributions, we learned U-Boot may play a role in the solution. It splits the booting procedure into hardware specific and generic system parts. This helps distribution maintainers deploy the generic system with OSTree, including device trees.
Let’s deep dive into this magic booting procedure!
Raphaël Pinson's talk on "Configuration surgery with Augeas" at PuppetCamp Geneva '12. Video at http://youtu.be/H0MJaIv4bgk
Learn more: www.puppetlabs.com
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
Getting Started on Packaging Apps with Open Build Service - Learn How To Build Package.
An OBS workshop at openSUSE.Asia Summit 2016, Yogyakarta, Indonesia
This a really short and compact introduction to CMake mechanisum and common variables used. Showed in a simple groupe meeting of the REVES team of the INRIA Sophia Antipolis (France) to sudents/PhD.
Source files for this demo are available from archive at
http://nzpug.org/MeetingsAuckland/November2009
html version at http://halfbakery.net.nz/sphinx_demo/
Detecting Malicious SSL Certificates Using BroAndrew Beard
We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic.
Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.
A Journey to Boot Linux on Raspberry PiJian-Hong Pan
Each processor/chip architecture has its own procedure to boot the kernel. It works with desgined partition layout and vendor specific firmwares/bootloaders in the boot partition. We can learn the related knowledge from the Raspbian image for Raspberry Pi, which is the board we can obtain easily. However, the diversity between the special booting procedures with specific firmwares/bootloaders increases the complexity for distribution maintainers. It will be great if there is a way to make it more generic that can be applied to most of the chip architectures/boards to boot up the system.
After referring to some Linux distributions, we learned U-Boot may play a role in the solution. It splits the booting procedure into hardware specific and generic system parts. This helps distribution maintainers deploy the generic system with OSTree, including device trees.
Let’s deep dive into this magic booting procedure!
Raphaël Pinson's talk on "Configuration surgery with Augeas" at PuppetCamp Geneva '12. Video at http://youtu.be/H0MJaIv4bgk
Learn more: www.puppetlabs.com
Getting Started on Packaging Apps with Open Build ServiceAndi Sugandi
Getting Started on Packaging Apps with Open Build Service - Learn How To Build Package.
An OBS workshop at openSUSE.Asia Summit 2016, Yogyakarta, Indonesia
This a really short and compact introduction to CMake mechanisum and common variables used. Showed in a simple groupe meeting of the REVES team of the INRIA Sophia Antipolis (France) to sudents/PhD.
Source files for this demo are available from archive at
http://nzpug.org/MeetingsAuckland/November2009
html version at http://halfbakery.net.nz/sphinx_demo/
Detecting Malicious SSL Certificates Using BroAndrew Beard
We have developed a set of techniques to detect malicious SSL certificates using data collected by Bro. Our analysis framework consists of Bro for collecting the data and a variety of tools such as Splunk and AWS ML for data analysis. We show how we used Bro for collecting the attributes we needed for SSL certificates from both good and bad sources. Bro is a very effective and simple tool for analyzing and extracting data from network traffic.
Next, the extracted data was loaded into Splunk and we ran a series of Machine Learning algorithms to identify those attributes that correlated with malicious activity. The algorithms we used also allowed for categorization of certificates used in the delivery and control of malware. Our analysis showed that there were a number of patterns that emerged that allowed for classification of high-jacked devices, self-signed certificates, etc. We will present the results of our analysis which show which attributes are the most relevant for detecting malicious SSL certificates and as well the performance of the ML algorithms. Finally, we show how well the training has worked in detecting new malicious sources. All of the source code will be made available on github.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
5 Easy Ways to Improve Cohesion in IELTS Writing Task 2 Ben Worthington
Improve your cohesion through using collocations, repetition, and three other techniques (the fifth is really easy).
For an introduction on how to start IELTS Writing Task 2 click here:
www.ieltspodcast.com/ielts-writing-task/ielts-writing-start-ielts-writing-task-2/
I am explaining how to connect to Borland StarTeam Version Control System programmatically using C# console application and checkout files to local machine.
Welcome to the Ubuntu Server Guide! It contains information on how to install and configure various server
applications on your Ubuntu system to fit your needs. It is a step-by-step, task-oriented guide for configuring
and customizing your system.
launch x431 pad 5 v comes with new smartbox 3.0 J2534 adapter. Here's guide to use SmartBox PC software http://www.obdii365.com/wholesale/launch-x431-pad-v-5-diagnostic-scanner.html
TYPO3 Flow 2.0 in the field - webtech Conference 2013die.agilen GmbH
Slides of the talk: "TYPO3 Flow 2.0 in the field" / webtech Conference 2013 by Patrick Lobacher (CEO typovision GmbH) / http://webtechcon.de / 29.10.2013
The manual of the GTK+ 2.0 application - Desktop App Chooser which let the user to browse all installed X desktop applications and retrieve the Desktop Entry content of each application.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Usage Notes of The Bro 2.2 / 2.3
1. Usage Notes of
The Bro 2.2 / 2.3
(a network security monitor)
William.L
wiliwe@gmail.com
2015-02-17
2. Index
Basic Information.................................................................................................................................................. 3
Architecture & System Structure ........................................................................................................................ 4
Install Bro .............................................................................................................................................................. 6
Running Bro Without Installing.................................................................................................................. 8
Use Bro Tools......................................................................................................................................................... 9
Inspect Log Files ......................................................................................................................................... 12
Script Files ................................................................................................................................................... 12
Add Network Application Filter Script..................................................................................................... 14
Read Packet Capture (PCAP) Files........................................................................................................... 15
Communicate With Bro System By Programming.......................................................................................... 17
Default Listen Port Number for Broccoli ................................................................................................. 17
Data Type Mapping between Bro Script and Broccoli Program............................................................ 17
Broccoli Library Documentation............................................................................................................... 18
Broccoli Library Path Setting under 64-bit Environment...................................................................... 20
Reference ............................................................................................................................................................. 22
3. Basic Information
The Bro official site - https://www.bro.org/index.html.
Bro is a powerful, passive, open-source network traffic analyzer and analysis framework that is much
different from the typical IDS (Intrusion detection system) you may know. It is NOT a classic
signature-based IDS (A signature based IDS will monitor packets on the network and compare them against a
database of signatures or attributes from known malicious threats. This is similar to the way most antivirus
software detects malware.)
Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between
academia and operations since its inception.
Bro has originally been developed by Vern Paxson (http://www.icir.org/vern/).
4. Architecture & System Structure
Bro was built based on event-based model. Bro is layered into two major components: event engine and script
interpreter.
Its event engine (or core) reduces the incoming packet stream into a series of higher-level events. These events
reflect network activity in policy-neutral terms, i.e., they describe what has been seen, but not why, or whether
it is significant. The event however does not convey any further interpretation, e.g., of whether that URI
corresponds to a known malware site; it is done by Bro’s second main component, the script interpreter.
The script interpreter which executes a set of event handlers written in Bro’s custom scripting language.
These scripts can express a site’s security policy, i.e., what actions to take when the monitor detects different
types of activity. More generally they can derive any desired properties and statistics from the input traffic.
Bro’s language comes with extensive domain-specific types and support functionality; and, crucially, allows
scripts to maintain state over time. Bro scripts can generate real-time alerts and also execute arbitrary external
programs on demand, e.g., to trigger an active response to an attack.
Bro system contains below components/tools:
Component Description Source Folder
BinPAC A protocol parser generator. Bro-Src-Root/aux/binpac
5. bro-aux Small auxiliary tools for Bro. Bro-Src-Root/aux/bro-aux
Broccoli The Bro Client Communication
Library.
Bro-Src-Root/aux/broccoli
BroControl An interactive shell for managing
Bro installations.
Bro-Src-Root/aux/broctl
broccoli-python Broccoli Python Bindings. Bro-Src-Root/aux/broccoli/bindings/broccoli-python
broccoli-ruby Broccoli Ruby Bindings. Bro-Src-Root/aux/broccoli/bindings/broccoli-ruby
BTest A unit testing framework. Bro-Src-Root/aux/btest
capstats A command-line tool collecting
packet statistics.
Bro-Src-Root/aux/broctl/aux/capstats
PySubnetTree A Python module for CIDR lookups. Bro-Src-Root/aux/broctl/aux/pysubnettree
trace-summary A script generating break-downs of
network traffic.
Bro-Src-Root/aux/broctl/aux/trace-summary
P.S: "Bro-Src-Root" used here is the Bro source folder. Take mine for example, "/home/william/bro-2.3.2"
6. Install Bro
Here using install-from-source way and steps to build and install Bro tools are described in below link. It also
lists required and optional dependencies for building/compiling Bro source.
https://www.bro.org/sphinx/install/install.html
All operations are done under the Linux distribution Ubuntu 14.04 LTS 64-bit.
1) Download a copy of Bro source archive from the official site shown as below and extract the archive.
https://www.bro.org/download/index.html
Or using GIT to retrieve Bro source:
git clone --recursive git://git.bro.org/bro
The version used in this document is v2.3.2 (bro-2.3.2.tar.gz)
2) Change directory to Bro source root folder (here using "/home/william/bro-2.3.2" for example), configure
building environment and make(compile). There may be auxiliary tools and libraries available in the aux/
sub-directory. Some of them will be automatically built and installed along with Bro.
cd /home/william/bro-2.3.2
./configure --prefix=/home/william/bro
[Note: Cause to that the execution of Bro tools needs root privileges mode, so I configure it to install tools
into a folder named "bro" in my home directory. If you do not use a folder for installation, it will create
folders needed for Bro under your home directory. The default installation path is /usr/local/bro]
7. make
make install
If you want to uninstall Bro files(only remove script files), you could run below command(cause to that it uses
the Makefile in the sub-directory "build" of Bro source folder.
make -C build uninstall
Set the environemnt variable PATH to include the path to your installed Bro tools.
8. Ex:
export PATH=$PATH:/home/william/bro/bin
Running Bro Without Installing
For developers that wish to run Bro directly from the build/ directory (i.e., without performing make install),
they will have to first adjust BROPATH environment variable to look for scripts and additional files inside the
build directory.
Sourcing either build/bro-path-dev.sh or build/bro-path-dev.csh as appropriate for the current shell
accomplishes this and also augments your PATH environment variable so you can use the Bro binary directly:
./configure
make
source build/bro-path-dev.sh
bro <options> <script-file>
9. Use Bro Tools
These are the basic configuration(configure files are under the folder Bro-Install-Path/etc ) changes to make
for a minimal BroControl installation that will manage a single Bro instance on the localhost:
# In Bro-Install-Path/etc/node.cfg, set the network interface for monitoring. The variable for setting interface
is “interface” and the network interface name could be found through running command “ifconfig -a”.
# In Bro-Install-Path/etc/networks.cfg, comment out the default settings and add the networks that Bro will
consider local to the monitored environment.
10. # In Bro-Install-Path/etc/broctl.cfg, change the MailTo variable for email address to a desired recipient and
the LogRotationInterval variable to a desired log archival frequency/period value.
1) Start the BroControl shell, type the command:
$ broctrl
2) When you run BroControl shell for the first time, please perform an initial installation of the BroControl
configuration:
[BroControl] > install
3) Then start up a Bro instance:
[BroControl] > start
Note:
<I> If you encounter a error whose message is similar to below, it means you need root privileges
"error: cannot acquire lock: [Errno 13] Permission denied: '/usr/local/bro/spool/lock"
<II> If it shows message, "bro terminated immediately after starting", it means there have errors and
11. you could view the detail through the command "diag."
[BroControl] > diag
, or you could inspect the error log file “Bro-Install-Path/logs/current/stderr.log.”
<II> The user starting BroControl needs permission to capture network traffic. If you are not root, you
may need to grant further privileges to the account you’re using. Follow the question and answer of
the Bro's FAQ Web page, https://www.bro.org/documentation/faq.html :
When bro executable runs normally, you could use ps command to observe it.
To stop this Bro instance you would do:
Q: How can I capture packets as an unprivileged user?
A: Fully implemented since Linux kernel 2.6.24, capabilities are a way of parceling super user privileges into
distinct units.
Attach capabilities required to capture packets to the bro executable file like this:
sudo setcap cap_net_raw,cap_net_admin=eip /path/to/bro
where "bro" is a Bro executable tool.
Example:
sudo setcap cap_net_raw,cap_net_admin=eip /home/william/bro/bin/bro
Now any unprivileged user should have the capability to capture packets using Bro provided that they have the
traditional file permissions to read/execute the bro binary.
12. [BroControl] > stop
Inspect Log Files
By default, logs are written out in human-readable (ASCII) format and data is organized into columns
(tab-delimited).
Logs that are part of the current rotation interval are accumulated in "Bro-Install-Path/logs/current/" (if Bro is
not running, the directory will be empty).
By default, BroControl regularly takes all the logs from "Bro-Install-Path/current/" and archives them to a
directory named by date, e.g. Bro-Install-Path/logs/2011-10-06. For example:
The frequency at which this is done can be configured via the LogRotationInterval option in
Bro-Install-Path/etc/broctl.cfg.
Some logs are worth explicit mention:
conn.log Contains an entry for every connection seen on the wire, with basic properties
such as time and duration, originator and responder IP addresses, services and
ports, payload size, and much more. This log provides a comprehensive record
of the network’s activity.
notice.log Identifies specific activity that Bro recognizes as potentially interesting, odd, or
bad. In Bro-speak, such activity is called a “notice”.
Script Files
Bro includes an event-driven scripting language that provides the primary means for an organization to extend
13. and customize Bro’s functionality. Virtually all of the output generated by Bro is, in fact, generated by Bro
scripts. It’s almost easier to consider Bro to be an entity behind-the-scenes processing connections and
generating events while Bro’s scripting language is the medium through which we mere mortals can achieve
communication.
Bro scripts effectively notify Bro that should there be an event of a type we define, then let us have the
information about the connection so we can perform some function on it.
Bro ships with many pre-written scripts that are highly customizable to support traffic analysis for your
specific environment. By default, these will be installed into Bro-Install-Path/share/bro/ and can be identified
by the use of a ”.bro“ file name extension.
These files should never be edited directly as changes will be lost when upgrading to newer versions of Bro.
The exception to this rule is the directory Bro-Install-Path/share/bro/site/ where local site-specific files can be
14. put without fear of being clobbered later. The other main script directories under Bro-Install-Path/share/bro/
are base and policy.
By default, Bro automatically loads all scripts under base (unless the -b command line option is supplied),
which deal either with collecting basic/useful state about network activities or providing frameworks/utilities
that extend Bro’s functionality without any performance cost.
Scripts under the policy directory may be more situational or costly, and so users must explicitly choose if they
want to load them.
The main entry point for the default analysis configuration of a standalone Bro instance managed by
BroControl is the "Bro-Install-Path/share/bro/site/local.bro" script. Adding customized process into this
script file.
Bro has script packages (e.g. collections of related scripts in a common directory). If the package directory
contains a "__load__.bro" script, it supports being loaded in mass as a whole directory for convenience.
Packages/scripts in the "base/" directory are all loaded by default, while ones in "policy/" provide functionality
and customization options that are more appropriate for users to decide whether they’d like to load it or not.
If one wants Bro to be able to load scripts that live outside the default directories in Bro’s installation root,
the BROPATH environment variable will need to be extended to include all the directories that need to be
searched for scripts.
Add Network Application Filter Script
Under the folder "Bro-Install-Path/share/bro/policy/misc/app-stats/plugins"
1) Copy a Bro script to a new one. For example:
cp facebook.bro amazon.bro
2) Change the filtering condition for Amazon site.
15. 3) In "__load__.bro", add a line "@load ./amazon"
4) Using Web browser to link to Amazon site, wait for a while and view the log file
”Bro-Install-Path/logs/current/app_stats.log.“
Read Packet Capture (PCAP) Files
Capturing packets from an interface and writing them to a file can be done like this:
sudo tcpdump -i en0 -s 0 -w mypackets.trace
where en0 can be replaced by the correct interface for your system as shown by e.g. ifconfig. (The -s 0
argument tells it to capture whole packets; in cases where it’s not supported use -s 65535 instead). After a while
of capturing traffic, kill the tcpdump (with ctrl-c), and tell Bro to perform all the default analysis on the capture
which primarily includes :
Or, you could use Wireshark/Ethereal(Linux/Windows) or Microsoft Network Monitor(Windows) to capture
and saved packets into a PCAP format file.
(P.S: Microsoft Network Monitor - http://www.microsoft.com/en-us/download/details.aspx?id=4865)
Run below command to read PCAP file and Bro will output log files into the working directory.
bro -r mypackets.trace
For example:
16. If you are interested in more detection, you can again load the local script that we include as a suggested
configuration:
bro -r mypackets.trace local
To view the filtering result for application
cat app_stats.log
17. Communicate With Bro System By Programming
Q: What is Broccoli?
A: BRO Client COmmunications LIbrary.
It allows you to write applications that speak the communication protocol of the Bro intrusion detection system
for exchanging Bro events with external programs. Broccoli is free software under terms of the BSD license as
given in the COPYING file distributed with its source code.
From my experiment result of using Bro v2.3 Broccoli and the below link, I changed to use the version of
Broccoli of Bro v2.2.
http://bro.bro-ids.narkive.com/XaJeX1aM/broccoli-not-processing-events
Default Listen Port Number for Broccoli
The default port number for listening Broccoli connecting request is 47760 and it could be confirmed through
running netstat tool:
netstat -ant
If you want to change the port number, it could change the port number value in the Python file “options.py”
under Bro installation path.
After changing the port number, run “broctl” to invoke Bro controller, execute “install” after prompt
“[BroControl] >” to re-generate configuration file and then execute “restart” to restart Bro daemon.
Using netstat tool to verify if the port number is what you set.
Data Type Mapping between Bro Script and Broccoli Program
When you want to test an event provided by Bro scripts(.bro file) in program, it needs to convert data type of
parameters in event handler of Bro script. Bro official site provides this mapping shown as below:
18. Broccoli Library Documentation
If you want to browse Broccoli library in detail, it provides documentations that could be generated through
Doxygen (http://www.stack.nl/~dimitri/doxygen/). In the Broccoli source folder, there has a sub-folder named
“doc” containing Doxygen configuration file named “Doxyfile”
Change directory to the “doc” sub-folder and run following command to generate HTML-based broccoli
documentation:
doxygen ./Doxyfile
19. After the generating process accomplished, it create a folder named “html” under “doc” sub-folder.
In “html” folder, the main Web page is index.html, open it in your Web browser to browse Broccoli’s data
structures and functions.
20. Broccoli Library Path Setting under 64-bit Environment
In 64-bit Linux, it needs to set Broccoli SO (dynamic) library path manually, otherwise a Broccoli application
will fail to run as below.
It could use ldd (List Dynamic Dependencies) tool to see what resulted in this fail:
the loader could not find the location to the Broccoli SO library, libbroccoli.so.
To resolve this problem, it needs to set Broccoli SO library path properly.
In CentOS, add soft links to Broccoli SO library files under folder /usr/lib64.
In Ubuntu, add soft links to Broccoli SO library files under the folder /lib/x86_64-linux-gnu or
/use/lib/x86_64-linux-gnu.
After setting correct path to Broccoli, it could use ldd tool to verify again.
21.
22. Reference
* Official Site
https://www.bro.org/
* On-line Reference/Documentation
https://www.bro.org/sphinx/
* Broccoli library
# https://www.bro.org/sphinx/components/broccoli/README.html
# https://www.bro.org/sphinx/components/broccoli/broccoli-manual.html
* The paper for Bro IDS
<I> http://www.icir.org/vern/papers/bro-CN99.html
<II> ftp://ftp.ee.lbl.gov/papers/bro-CN99-new.pdf.gz