bro scripts
play

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: - PowerPoint PPT Presentation

Dec 13, 2022 •154 likes •292 views

Bro Scripts The Bro Monitoring Platform Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. Exercise: find your way around in the training VM. Block 2: Bro-logs, network logs. Introduction on

  1. Bro Scripts The Bro Monitoring Platform

  2. Agenda Thursday Block 1: Bro-Overview and introduction. Structure, setup, administration. • Exercise: find your way around in the training VM. • Block 2: Bro-logs, network logs. • Introduction on logs in Bro. • Exercise: use Bro logs to find the attack. Block 3: Working with Bro scripts. Exercise: access and use included and external • scripts. 2 The Bro Monitoring Platform

  3. Block 3 Outline • Using included scripts • Working with external scripts • First glimpse on the Bro scripting language 3 The Bro Monitoring Platform

  4. Objectives for this block • Being able to find and include Bro scripts • Get familiar with the different sources of Bro scripts • Understand the basics of the Bro scripting language 4 The Bro Monitoring Platform

  5. Scripts are Bro’s “Magic Ingredient” Bro comes with >10,000 lines of script code. Prewritten functionality that’s just loaded. Scripts generate everything we have seen. Amendable to extensive customization and extension. Growing community writing 3rd party scripts. Bro could report Mandiant’s APT1 indicators within a day. 5 The Bro Monitoring Platform

  6. How to tell Bro which scripts to load Where (standard scripts) <prefix>/share/bro load scripts within a script @load <path-to-script> from the command line bro <options> <scripts...> Documentation: http://www.bro.org/sphinx/scripts/index.html 6 The Bro Monitoring Platform

  7. Script directory walk through • base/ • Everything loaded by default. Scripts meant to: • enable analyzers, collect state, generate protocol logs, provide reusable frameworks and function libraries. • base/ is not in the default $BROPATH! • policy/ • Not loaded by default. • Place for scripts that not everyone may want to load. • Pick and choose. • site/ • Location for local configuration. • No overwrite during installation. • BroControl loads site/local.bro as top-level site script. 7 The Bro Monitoring Platform

  8. script example: policy/misc/capture-loss export module CaptureLoss; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## Report if the detected capture loss exceeds the percentage ## threshold. Too_Much_Loss }; type Info: record { ## Timestamp for when the measurement occurred. ts: time &log; ## The time delay between this measurement and the last. ts_delta: interval &log; ## In the event that there are multiple Bro instances logging ## to the same host, this distinguishes each peer with its ## individual name. peer: string &log; ## Number of missed ACKs from the previous measurement interval. gaps: count &log; ## Total number of ACKs seen in the previous measurement interval. acks: count &log; ## Percentage of ACKs seen where the data being ACKed wasn't seen. percent_lost: double &log; }; ## The interval at which capture loss reports are created. const watch_interval = 15mins &redef; ## The percentage of missed data that is considered "too much" ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. const too_much_loss: double = 0.1 &redef; } 8 The Bro Monitoring Platform

  9. script example: policy/misc/capture-loss export module CaptureLoss; export { … ## The interval at which capture loss reports are created. const watch_interval = 15mins &redef; ## The percentage of missed data that is considered "too much" ## when the :bro:enum:`CaptureLoss::Too_Much_Loss` notice should be ## generated. The value is expressed as a double between 0 and 1 with 1 ## being 100%. const too_much_loss: double = 0.1 &redef; } 9 The Bro Monitoring Platform

  10. script example: policy/misc/capture-loss export module CaptureLoss; export { redef enum Log::ID += { LOG }; redef enum Notice::Type += { ## Report if the detected capture loss exceeds the percentage ## threshold. Too_Much_Loss }; 10 The Bro Monitoring Platform

  11. script example: policy/misc/capture-loss module CaptureLoss; export { … type Info: record { ## Timestamp for when the measurement occurred. ts: time &log; ## The time delay between this measurement and the last. ts_delta: interval &log; ## In the event that there are multiple Bro instances logging ## to the same host, this distinguishes each peer with its ## individual name. peer: string &log; ## Number of missed ACKs from the previous measurement interval. gaps: count &log; ## Total number of ACKs seen in the previous measurement interval. acks: count &log; ## Percentage of ACKs seen where the data being ACKed wasn't seen. percent_lost: double &log; }; … } 11 The Bro Monitoring Platform

  12. Bro script resources 12 The Bro Monitoring Platform

  13. Using External Scripts Demo 13 The Bro Monitoring Platform

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net May 10, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

298 views • 15 slides
Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts

Scriptless Scripts Scriptless Scripts Andrew Poelstra grindelwald@wpsoftware.net March 4, 2017 Scriptless Scripts Introduction Scriptless Scripts? Scriptless scripts: magicking digital signatures so that they can only be created by

794 views • 40 slides
scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29,

scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29,

Services Backend Further Info scripts.mit.edu Quentin Smith scripts@mit.edu Student Information Processing Board October 29, 2019 Quentin Smith scripts@mit.edu scripts.mit.edu Services Backend Further Info Outline Services 1 Web Mail

897 views • 42 slides
perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post

perf scripts jiri olsa 1 PERF SCRIPTS | JIRI OLSA HI basics perf in python post process scripts 2 PERF SCRIPTS | JIRI OLSA COUNTING perf stat CPU 0 CPU 1 CPU 2 start $ perf stat -e ' cycles,instructions ' WORKLOAD

1.2k views • 59 slides
Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29

Using Python for shell scripts Peter Hill Using Python for shell scripts | January 2018 | 1/29 Outline Advantages/disadvantages of Python Running a parameter scan example Command line arguments Working with filesystem paths Working with

554 views • 29 slides
Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction

Collaboration Scripts for CSCL Frank Fischer, Ingo Kollar, Christof Wecker Introduction www.kloster-seeon.de 2 Outline 1. Internal collaboration scripts 2. External collaboration scripts 3 Internal collaboration scripts What they are play

247 views • 24 slides
Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real

Listing Presentation Scripts Agent Scripts &amp; Dialogues Listing Presentation Script for Real Estate Agents Learn the listing presentation scripts and dialogues that top agents use in listing consultations to list more homes for sale. An

325 views • 4 slides
COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello

COMP 2718: Shell Scripts: Part 1 By: Dr. Andrew Vardy Outline Shell Scripts: Part 1 Hello World Shebang! Example Project Introducing Variables Variable Names Variable Facts Arguments Exit Status Branching:

526 views • 36 slides
What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode

What is Unicode? Universal Character Set All of the major scripts Sinhala Unicode Simple and consistent manner Developer Workshop Alphabetic, syllabic and ideographic scripts Version 4.0 Muthu Nedumaran 50,000

686 views • 4 slides
Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May

Scriptless Scripts Andrew Poelstra Research Director, Blockstream scriptless@wpsoftware.net May 18, 2018 1 / 11 Mimblewimble and Scriptless Scripts Mimblewimble, proposed in 2016 by Tom Elvis Jedusor No scripts, only signatures. What

509 views • 11 slides
SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements

SQL110 Transact SQL Essentials Scripts Doug Shook Scripts Series of SQL Statements Grouped into batches Batches are executed when a GO statement is hit Why are these batches necessary? Certain commands cannot be

452 views • 21 slides
Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with

Introduction Symbolic Execution of Scripts Symbolic Execution of Maintainer Scripts Demo Time Detected Bugs Conclusions App Symbolic Execution of Maintainer Scripts Nicolas Jeannerod and Ralf Treinen joint work with Benedikt Becker, Claude

1.71k views • 115 slides
Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER

Cloud of Suspicion Scaling Up Phishing campaigns Using Google Apps Scripts MAOR BIN NOVEMBER 2017 Overview Google Apps Scripts Overview Google Apps Scripts A scripting language based on JavaScript that lets you automate actions with

268 views • 15 slides
E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come

E-Scripts A Pharmacist Perspective Workflow IS Changing In transition prescriptions come many ways telephone fax e-script paper Not allowed for scheduled meds E-Scripts Workflow Script shows on Work queue

95 views • 6 slides
Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational

Bro Package Manager Why arent scripts being shared? Secret techniques? Organizational momentum against sharing? Difficulty in making scripts generally applicable? Difficulty in discovery and installation? We can solve this one!

484 views • 23 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee

Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee

Seminar Series Industrial Cyber Threats and Future Planning Robert M. Lee Twitter: @RobertMLee Email: rlee@dragos.com Web: www.dragos.com Agenda Where We Are Selected Case Studies in Cyber Attacks Where Were Heading

424 views • 24 slides
Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of

Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of

3/18/16 Hypoparathyroidism: From Diagnosis to New Management Options Dolores Shoback, MD Professor of Medicine University of California, San Francisco Continuing Medical Education March 18, 2016 Disclosure Investigator on NPS

404 views • 25 slides
Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence

Telencephalon/Cerebral Cortex - Anatomy Cerebral Cortex Box 26D Brain Size and Intelligence 1.12 Gross anatomy of the forebrain. (Part 3) Haines, Fund. Neuro., Fig 16 10 Figure A21 The ventricular system of the human brain (Part 1) Box

589 views • 36 slides
Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment

Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment

Filling a Need to Reduce Wait Time for Autism Assessments: The Autism Spectrum Assessment Program at Connecticut Childrens Medical Center Jennifer Twachtman-Bassett, M.S. CCC-SLP Department of Speech-Language Pathology Lead Clinician ~

397 views • 17 slides
NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE

NEEDLES IN A HAYSTACK: MINING INFORMATION FROM PUBLIC DYNAMIC SANDBOXES FOR MALWARE INTELLIGENCE Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi and Davide Balzarotti Eurecom Symantec Research Labs Universit degli Studi di

695 views • 34 slides
2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and

2013 - The year in Review thinkst applied research @haroonmeer | @marcoslaviero Who we are (and why does it matter?) Who we are (and why does it matter?) So... 2013 2013 Significant Events Research Themes Future Themes ? References / Links

983 views • 71 slides
OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz

DETECT . ANALYZE . REMEDIATE OSINT: The Secret Weapon in Hunting Nation-State Campaigns alon@intsights.com Alon Arvatz +972-545444313 1 1 1 What People Think 2 True or False? Threat intelligence Nation-state actors Commercial threat

247 views • 24 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:&gt;

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:&gt;

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:&gt; whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus &amp; Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides

More recommend