Friday, August 9, 2013

Intro to Brogramming - Frameworks

I have to be honest. I had to think for bit what the difference between a Bro module and a Bro framework was. I could be completely off base, but here's what I've concluded.

Frameworks in Bro provide global extensions to how Bro operates and what Bro can do. Frameworks can be thought of as shared libraries between parts of Bro. Frameworks are built on top of one or multiple modules. I like to think about modules in the context of what they expose to other scripts (they're exports) while I consider frameworks as something that change how Bro can be used from a high level/global perspective.

For example, the LogAscii, LogSQLite, and LogElasticSearch modules expose ways to log information Bro generates in different output formats. Together they help make up the logging framework which offers ways to log information in different ways to all of Bro. Bro's homepage has some frameworks listed. I have yet to write my own full featured framework and thus I cannot give an example of one. I again suggest turning to and reading the code. See the /usr/local/bro/share/bro/base/frameworks directory.

Bro frameworks include
  • Input - this framework provides a mechanism for Bro to read data (including Bro logs) into Bro for processing.
  • Intel - this framework provides a mechanism for Bro to monitor the entire network for a specific piece of intelligence. For example, a malicious domain could appear in a link within an email or chat, in an HTTP URL, or within a DNS request.
  • File Analysis - this framework allows for files seen on the network to be treated similarly to connections. Files can be carved from the wire, examined, hashed, or submitted to Team Cymru's Malware Hash Registry.
  • Logging - the logging framework supports other frameworks and modules by providing a mechanism to easily create a new log stream, filter an existing log stream, or define custom events that should occur when some piece of information is ready to be logged.
  • DPD (dynamic protocol detection) - DPD is very cool and probably the single reason I started to look at Bro. Bro uses a combination of standard ports, behavioral analysis and signatures to determine the protocol being used on the wire. If you've ever had to explicitly tell Wireshark which decoder to use, you have experienced the frustrations IRC running over port 8080 can create.
  • Notice - this framework provides a way for other Bro frameworks and modules to raise notices. Raised notices in scriptland are similar to raised events from the core.
  • Cluster - Networks get big and sometimes a single machine cannot handle all the traffic you may have to inspect. The cluster framework provides a mechanism for Bro to scale horizontally. Another nice thing about Bro is that it runs on commodity hardware. If a stand alone (a single Bro process on a single system. We've been running Bro in stand alone mode for these blog posts) can't handle all your packets, just through more cheap boxes at it.
  • Signatures - the signature framework provides a Snort style, packet by packet inspection mechanism. Signatures are mostly used by the DPD framework. As Bro focuses more on connections and stream than packets, signatures don't get used very often by brogrammers.

No comments:

Post a Comment