Friday, August 9, 2013

Intro to Brogramming - Events

Bro is event driven. When something happens on the network, Bro's core will raise an event and execute all the code blocks from scriptland associated with that event. Just as Bro has built in functions available for brogrammers to use, Bro has built in events. These built in events cover most of the things a network operator would want to know about (again, the magic of the BSD license allows you to extend Bro as you see fit).

I'm not going to write any code examples for built in events as Liam Randall already has done an excellent job of doing that. His Github page has Bro scripts that keep tallies of the number of events that fire while Bro runs. Read through the scripts and try to understand them. They are repetitive as they do the same thing for each event.

In reality, Laim's fire scripts are great for understanding how Bro works, but are too simple to give any great insight into what is happening on the network. Pick an event he included from a file, an easy one you can easily generate (like dns_request) and replace his code block with your own. Here's an example something I want Bro to do when it sees a DNS request.

event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count)
{
    print fmt("DUDE! I just saw some bro query the DNS for %s with a query type of %d and a query class of %d", query, qtype, qclass);
}
Try running this script and writing your own. Add some local variables and calls to built in functions to the event.

No comments:

Post a Comment