Attributes and Ports Questions

Hi All,

Is anyone using the following attributes? How are you using them? I
believe some of these have been deprecated.
&rotate_interval
&rotate_size
&mergeable
&synchronize (I think there was a post earlier last month about this one)
&persistent
&group
&add_func
&delete_func
&encrypt (applying this to a file causes Bro to "elegantly terminate" for me)
bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt'

What is the purpose of the unknown port type? And why do they only
range from 0-255? Compare the results of the following commands.
bro -e 'print 0/unknown; print 255/unknown;'
bro -e 'print 0/unknown; print 255/unknown; print 256/unknown;'

How are ports flattened? See the results of the following command.
bro -e 'print 0/udp; print |0/udp|; print |32/tcp|; print |11/tcp|;
print |132/unknown|; print 132/unknown;'

Any insights are appreciated.

-AK

What is the purpose of the unknown port type?

It should mostly be used internally to signify an uninitialized/invalid transport protocol. I don’t think it’s common for that to actually be exposed to the scripting-layer for practical usage.

And why do they only
range from 0-255? Compare the results of the following commands.
bro -e 'print 0/unknown; print 255/unknown;'
bro -e 'print 0/unknown; print 255/unknown; print 256/unknown;’

Likely arbitrary and just due to copy-paste of the code that parses ICMP port literals (for ICMP, Bro uses 0-255 to correspond to the Type/Code values).

How are ports flattened? See the results of the following command.
bro -e 'print 0/udp; print |0/udp|; print |32/tcp|; print |11/tcp|;
print |132/unknown|; print 132/unknown;'

Internally, a port is a single uint64 with some of the high-bits set to indicate which port-space it belongs to. You’re seeing that value here. E.g.

$ bro -e 'print |32/tcp| == 0x10000 + 32'
T
$ bro -e 'print |37/udp| == 0x20000 + 37’
T

- Jon

Hi Anthony,

have you seen this page?

https://www.bro.org/sphinx-git/script-reference/attributes.html

It's pretty new (though maybe it's actually where your questiosns are
coming from :slight_smile:

To add a bit to that:

&rotate_interval
&rotate_size

This used to be primary log rotation mechanism before we switched to
the new logging system/format. I've been wondering if we should just
remove these attributes.

&mergeable
&synchronize (I think there was a post earlier last month about this one)
&persistent

These are going to go away, but we aren't there yet. We may start
deprecating them with the next release, which is scheduled to ship
with a first version of their replacement, the new Broker library.

&group

A bit of an obscure feature, originally added to toggle selected sets
of analysis dynamically from BroControl. Don't think that's used
anywhere and I'm inclined to remove it.

&add_func
&delete_func

These aren't used very often, but can be useful in individual cases.

&encrypt (applying this to a file causes Bro to "elegantly terminate" for me)
bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt'

Another relict from old-style logging, although the new framework
doesn't have any equivalent functionality yet.

Mind filing a ticket for the crash? We should either fix it or remove
the attribute.

Robin

Thanks for the explanations, Jon.

-AK

That page is exactly where my questions are coming from. I tried using each of the attributes in a few toy scripts and was wondering if people are using them in production as I could not find some of them used in base or policy. Thanks for the insight, Robin.

-AK