Hello,
I am a student new to BRO. I am learning it by solving any simple use case.
I am exploring practically how BRO’s internal function works .
I could not find any links to internal working( practically, like where/when/which files are invoked one by one in general)
Please redirect me to appropriate papers, links, documentation or examples
Thanks
Aniket Savanand
San Jose State University
(669-226-8162)
If you look at Bro’s main.cc file, you can see the two .bro script files it uses to bootstrap the rest of the policy scripts < https://github.com/bro/bro/blob/master/src/main.cc>.
-AK
Thanks for the reply.
I got init-bare.bro and init-default.bro.
Is there any way to see how these init-bare.bro and init-default.bro works stage by stage?
I want to see how code gets run stepwise.
Thanks
Aniket Savanand
San Jose State University
(669-226-8162)
You could try removing @load statements from those files one by one and see what happens.
-AK
In addition to what Anthony suggests:
Bro has an option to trace execution and write the results to a file: I think it's '-T' or something along those lines. The trace file generated by running bro with this option can show you which script functions were called and in which order they were called ... but this option generates a *lot* of output, and should therefore only be used offline and (probably) with a relatively small capture file.
There's a benchmark script that ships with bro that also shows an example of incrementally running bro with 1 script loaded, 2 scripts loaded, etc to see how each script affects bro's runtime: https://github.com/bro/bro-aux/blob/master/devel-tools/cpu-bench-with-trace
Also, maybe try taking a look at try.bro.org: it's a pretty nice way to play with bro and become familiar with how things work.
Cheers,
Gilbert
Thanks a lot.
I will look into these files.
Thanks
Aniket Savanand
Thanks Anthony, Clark for your replies.
I got BRO installed as per https://www.digitalocean.com/community/tutorials/how-to-install-bro-ids-2-2-on-ubuntu-12-04
on my linux dual boot machine. Now, I am able to run the BRO using broctl and I can see log files generated.
And I played with try.bro.org and saw how bro can capture traffic http, connection etc.
I have succeeded doing above part only.
Now at this stage, How do I proceed with suggestions you provided?
I got many questions as
( 1 . So as Anthony suggested, to remove @load from these initial boot-strap files init-default.bro and init-bare.bro.
But how do I that? I mean, where can I locate these files, and how do modify them to remove @load and make them run, but with my above installation.
Thanks
Aniket Savanand
San Jose State
669-226-8162