A Tutorial on Writing (Binary) Bro Plugins Robin Sommer Corelight / - - PowerPoint PPT Presentation

a tutorial on writing binary bro plugins
SMART_READER_LITE
LIVE PREVIEW

A Tutorial on Writing (Binary) Bro Plugins Robin Sommer Corelight / - - PowerPoint PPT Presentation

Dec 07, 2023 369 likes •596 views

A Tutorial on Writing (Binary) Bro Plugins Robin Sommer Corelight / International Computer Science Institute / Berkeley Lab robin@corelight.com robin@icir.org https://www.icir.org/robin The Bro Platform Open Source BSD License Analysis

slide-1
SLIDE 1

Robin Sommer

Corelight / International Computer Science Institute / Berkeley Lab

robin@corelight.com robin@icir.org https://www.icir.org/robin

A Tutorial on Writing (Binary) Bro Plugins

slide-2
SLIDE 2

The Bro Platform

2

Network

Programming Language Packet Processing Standard Library

Platform

Vulnerabilit. Mgmt Intrusion Detection File Analysis Compliance Monitoring Traffic Measure- ment Traffic Control

Analysis Tap

Open Source BSD License

slide-3
SLIDE 3

The Bro Platform

3

Network Platform

Vulnerabilit. Mgmt Intrusion Detection File Analysis Compliance Monitoring Traffic Measure- ment Traffic Control

Analysis Tap

Open Source BSD License

slide-4
SLIDE 4

The Bro Platform

3

Network Platform

Protocol Parsers File Parsers Packet Sources Log Writers Input Readers Built-in Events, Functions, Types

Vulnerabilit. Mgmt Intrusion Detection File Analysis Compliance Monitoring Traffic Measure- ment Traffic Control

Analysis Tap

Open Source BSD License

slide-5
SLIDE 5

Bro Plugins

4

Plugin

Protocol Parsers File Parsers Packet Sources Log Writers Input Readers Built-in Events, Functions, Types

A Bro Plugin is a container for independently compiled components, wrapped into a shared library and loaded at startup.

slide-6
SLIDE 6

Bro Plugins on GitHub

5

PostgreSQL Kafka Community ID AF_Packet HTTP/2 ZeroMQ FIX LDAP Elastic Netmap Myricom PF_RING

slide-7
SLIDE 7

Plugin Structure

6

<base>/__bro_plugin__ Marks a directory as containing a Bro plugin, and contains name of plugin <base>/lib/<plugin-name>.<os>-<arch>.so Shared library implementing plugin and components <base>/scripts/ Bro scripts coming with the plugin, will be added to BROPATH

slide-8
SLIDE 8

Getting Started

7

# cd src/bro-aux/plugin-support # ./init-plugin <dir> <namespace> <plugin-name>

Bro comes with a helper script that creates a fully compilable, empty plugin skeleton.

slide-9
SLIDE 9

Getting Started

7

# cd src/bro-aux/plugin-support # ./init-plugin <dir> <namespace> <plugin-name>

Bro comes with a helper script that creates a fully compilable, empty plugin skeleton.

Demo

slide-10
SLIDE 10

Component APIs

8

slide-11
SLIDE 11

File Analyzer API

9

class file_analysis::Analyzer { virtual void Init(); virtual void Done(); virtual bool DeliverChunk(const u_char* data, uint64 len, uint64 offset); virtual bool DeliverStream(const u_char* data, uint64 len); virtual bool EndOfFile(); virtual bool Undelivered(uint64 offset, uint64 len); };

plugin::component::FILE_ANALYZER

slide-12
SLIDE 12

Protocol Analyzer API

10

class analyzer::Analyzer { virtual void Init(); virtual void Done(); virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64 seq, const IP_Hdr* ip, int caplen); virtual void DeliverStream(int len, const u_char* data, bool orig); virtual void Undelivered(uint64 seq, int len, bool orig); virtual void EndOfData(bool is_orig); virtual void FlipRoles(); };

plugin::component::ANALYZER

slide-13
SLIDE 13

Packet Source API

11

class iosource::PktSrc { virtual void Open(); virtual void Close(); virtual bool ExtractNextPacket(Packet* pkt); virtual void DoneWithPacket(); virtual bool PrecompileFilter(int index, std::string filter); virtual bool SetFilter(int index); virtual void Statistics(Stats* stats); void Opened(const Properties& props); };

plugin::component::PKTSRC

slide-14
SLIDE 14

Log Writer API

12

class logging::WriterBackend { virtual bool DoInit(const WriterInfo& info, int num_fields, const threading::Field* const* fields) virtual bool DoWrite(int num_fields, const threading::Field* const* fields, threading::Value** vals) virtual bool DoSetBuf(bool enabled) virtual bool DoRotate(const char* rotated_path, double open, double close, bool terminating) virtual bool DoFlush(double network_time) virtual bool DoFinish(double network_time) virtual bool DoHeartbeat(double network_time, double current_time) };

plugin::component::WRITER

slide-15
SLIDE 15

Input Reader API

13

class input::ReaderBackend { virtual bool DoInit(const ReaderInfo& info, int arg_num_fields, const threading::Field* const* fields); virtual void DoClose(); virtual bool DoUpdate(); virtual bool DoHeartbeat(double network_time, double current_time); void SendEvent(const char* name, const int num_vals, threading::Value* *vals); void Put(threading::Value** val); void Delete(threading::Value** val); void Clear(); }

plugin::component::READER

slide-16
SLIDE 16

Some notes for the advanced plugin writer ….

14

slide-17
SLIDE 17

Plugin Activation

A plugin needs to be activated to have an effect. By default, Bro activates all plugins that it finds in BRO_PLUGIN_PATH — so nothing to do normally. But bare mode works differently:

  • Bro will not activate any plugins by default.
  • Bro scripts can activate plugins: @load-plugin rsmmr::Demo
  • Command-line can, too: bro -i etc rsmmr::Demo
  • Environment can, too: export BRO_PLUGIN_ACTIVATE=rsmmr::Demo

15

slide-18
SLIDE 18

Bro Scripts in Plugins

16

<dir>/scripts/ Will be automatically added to BROPATH <dir>/scripts/__load__.bro Will be loaded when the plugin gets activated. BiF elements will already be available <dir>/scripts/__preload__.bro Will be loaded when the plugin gets activated, but before any BiF elements become available <dir>/scripts/<ns>/<name>/__load__.bro Will be loaded through, e.g., @load rsmmr/Demo

slide-19
SLIDE 19

Hooking into the Script Interpreter

17

class plugin::Plugin { virtual int HookLoadFile(const LoadType type, // SCRIPT, SIGNATURES, PLUGIN std::string file, std::string resolved); virtual std::pair<bool, Val*> HookCallFunction(const Func* func, Frame *parent, val_list* args); virtual bool HookQueueEvent(Event* event); virtual void HookDrainEvents(); virtual void HookUpdateNetworkTime(double network_time); virtual void HookSetupAnalyzerTree(Connection *conn); virtual void HookBroObjDtor(void* obj); virtual void HookLogInit(…); // 2.6 virtual void HookLogWrite(…); // 2.6 Virtual void HookLogReporter(); // 2.6 }

A hook needs to be activated explicitly:

Plugin::EnableHook(HookType hook, int priority = 0)

slide-20
SLIDE 20

More on Writing Plugins

Much of what I’ve been talking about is summarized here (except FA):

https://www.bro.org/sphinx/devel/plugins.html

Bro package manager documentation:

https://bro-package-manager.readthedocs.io/en/stable/ package.html#binary-bro-plugin-package

Look at existing plugins:

Bro packages: packages.bro.org/tags, filter for bro plugin Bro’s source code comes with many built-in plugins

Ask on the development mailing list:

https://mailman.icsi.berkeley.edu/mailman/listinfo/ bro-dev

18