Hello, I'm the beginner of Bro, Seonmin.

Dear Sir or Madam.

Hi, Nice to meet you.
My name is Seonmin and I’m South Korean.

I’m studying Bro and I saw Bro User Manual.(version 0.9, 12-1-2004, DRAFT)
That’s really helpful for me to understand the Bro. Thank you so much.

All these days, I’ve searched far and wide the bro’s config files and other documents on the Internet.
However I couldn’t find the best one what I need…

I understand the sketchy knowledge. For example, The keynote of Bro’s benefits and simple flow.( Network → libpcap → event engine → PolicyScriptInterpreter)

But that kind of information is not enough for me to understand the Bro perfectly.

I want to know how to work the Bro accurately.(Some information of Bro’s architecture) I need like a Bro hierarchy structure.
( EX. To run the “bro/base/protocols” file, Bro needs the “bro/base/framewalk/analyzer” file. And it also needs the “bro/base/framewalk/packet_filter.util” file.)



bro/base/framewalk/packet_filter.util

|

  • |


    :arrow_upper_right:

    |


    bro/base/framewalk/analyzer

    |


    :arrow_upper_right:

    |


    bro/base/protocols

    |

So, I refered to the Bro User Manual’s “Appendix A Bro Directory and Files”. But It is corrupted like below.

If you don’t mind me asking, Would you send me the original file or picture of that?

  • based on that file, I will try to do the simplification of Bro. (To inspect only http packets)

I’m sorry for the sentences are not neat… If you are not sure what I mean, Please tell me.

Yours Faithfully,
Seonmin.

Seonmin,

The document you’re referencing is quite old, and I’m not sure that it would be of great benefit to you.

It seems like what you want to do is instruct Bro to only monitor port 80. Normally, I would advise people to do this at their traffic aggregation point, but that isn’t always available. You can do this within bro by using redef to change the value of PacketFilter::default_capture_filter.

Do this by adding the following line to your local.bro:

redef PacketFilter::default_capture_filter = “port 80”;

That having been said, I think what you actually want is to only analyze the HTTP protocol, which can occur on many ports. That’s a bit trickier. Let me know if this is what you want, and I’m certain that there is a way to do that as well, but I would need a minute to look into the best way to do it.

Thanks,

Stephen