Hi,
I’ve recently begun using Bro and have found it to be a very interesting tool to work with. I have started poking around some of the scripts and trying a few of the exercises in the slides from the 2009 Bro workshop. So far everything is working well.
I have created a few patches to fix small problems I had or add features that I was looking for. I have attached these patches so that others can use them if they find them useful. I am working off of svn build 7050. Here are the list of changes I have made so far:
-
Patched main.cc to add the -N command line flag. This effectively enables BRO_FAKE_DNS for that run. I think this is more useful than using an environment variable because the flags are listed in the command line help, and it makes it easier to change from run to run without manipulating environment variables.
-
Removed duplicate login_non_failure_msgs from policy/login.bro. The same block was listed twice, one with &redef and the other without. Seemed superfluous.
-
Commented out example in policy/scan.bro. It doesn’t seem like making the example value live added any value, and could possibly cause problems.
-
Edited policy/ssh.bro to print what port is being used for ssh servers. Also changed the data structure that tracks the servers to allow for multiple ssh servers on the same system. I found this useful when using dpd.
-
Created policy/dpd.ssh.bro that tells ssh to capture on all tcp ports.
-
Changed src/DPM.cc so that the SSH Analyzer is hooked into the analyzer tree, so that when using dpd.ssh.bro, ssh servers running on any tcp port are detected.
There are still some more features I plan to work on. Depending on how difficult it would be, I want to add the ability to hook an analyzer into the analyzer tree via script, so that the source doesn’t need to be edited for each. Or so that functionality could be toggled on or off depending on need.
I also started to convert the 6000+ Nmap service probe signatures into dpd signatures. I have an initial list, but a lot of the Nmap regexs cause problems with Bro. I am going to try to clean those up so that they can be useable with Bro.
For the scripts that send packets, such as terminate-connection.bro and the scripts that load it, I want to rewrite them so they can run in either Active or Passive mode. In Passive mode they wouldn’t send any packets, which would be the default behavior. I know that currently the default behavior is similar to this, but being able to designate individual scripts to be active or passive, or knowing for sure that all scripts are being passive could be useful and allow for more control.
I have a few more simple ideas that I will try to get working, and I will probably think of more as I experiment more with Bro. Any feedback would be greatly appreciated. Thanks for making such a great tool, using it has been very fun and interesting so far and I hope to learn more from it.
Thanks,
Ben Rosenberg
main.cc.patch (1.4 KB)
login.bro.patch (550 Bytes)
scan.bro.patch (356 Bytes)
dpd.ssh.bro (58 Bytes)
DPM.cc.patch (645 Bytes)
ssh.bro.patch (1.21 KB)