Learning the Bro Scripting Language Part 3 - Detecting basic auth and going from evidence to practical use in Bro

I sent the first post of the series to the mailing list and got a decent response from people who were interested in learning Bro’s scripting language.

This post tries to move to a more operationally useful script and something you could actually deploy across an enterprise. If anyone has any comments or critiques I’d love to hear them.

http://ryesecurity.blogspot.com/2012/05/learning-bro-scripting-language.html

v/r
Scott Runnels

Great post! Perfect cheat-sheet for incident responders that need to
add something specific.

I sent the first post of the series to the mailing list and got a
decent response from people who were interested in learning Bro's
scripting language.

Nice work, Scott!

One small comment: "Three lines of Bro's scripting language and we can
detect a server using Basic Access Authentication!"

It's actually just one line [1]:

    redef HTTP::default_capture_password = T;

This automatically creates a new column password in the http.log with
the password value, if available.

Keep the posts coming!

    Matthias

[1] http://git.bro-ids.org/bro.git/blob/HEAD:/scripts/base/protocols/http/main.bro#l233

Hi Mattias,

Thank you!

Yea, that's definitely a little misleading on my part. I tried to touch on the fact that "Hey, Bro really does this kind of stuff under the hood!" I actually saw the username getting parsed out when I was dumping the connection getting passed into http_header and sent some colorful language at Seth over IM :slight_smile:

I'm hoping to try to get as many posts up as I can think of. I've been working pretty closely with Seth to make sure that I don't do something 'unbroly', that I stick to the already established conventions, and to make sure I don't go about spreading any misinformation. It's been a great learning experience. I'll reiterate what I said the post, "Some day, I'll stop being shocked by everything Bro does and just accept that it's wall-to-wall awesome!" Kind of hard sometimes, though!

v/r
Scott Runnels

I'm hoping to try to get as many posts up as I can think of.

Terrific!

I've been working pretty closely with Seth to make sure that I don't
do something 'unbroly', that I stick to the already established
conventions, and to make sure I don't go about spreading any
misinformation.

For sure, you're on the safe path with Seth on your side :-). Speaking
of conventions, one additional Bro idiom comes to mind. Maybe that's
already clear to you, even better then.

As you may have noticed, there are several boolean indicator flags in
the connection record. This introduces a new idiom: selectively enabling
or disabling certain analyses on a *per-connection basis*. For example,
you may only want to exclude logging passwords of users from a specific
subnet. All that this requires is setting HTTP::capture_password to true
for connections that do not originate from the corresponding subnet (or
if the reverse is easier, setting it to false for that specific subnet).

    Matthias