Trace Execution with broctl

Hello,

Is there currently a way to run an offline trace using broctl?

I saw some posts about potentially having a ‘read’ command, but it doesn’t appear to be implemented yet.

I am really trying to understand how to modify a few things that are being done by the broctl scripts. I get my desired results when running bro by itself, but need to see exactly how broctl is making changes. I was able to make some of the changes in the template scripts that are used when broctl is installed, but there are some things I still seem to be missing.

Thanks,

Will

I saw some posts about potentially having a 'read' command, but it doesn't
appear to be implemented yet.

No, it's not yet, but that would indeed be a good thing to have. I
don't think we have a tracker ticket for that yet iirc, would you mind
filing one at http://tracker.icir.org, describing what you'd like to
see (and if you're up for it, perhaps even summarizing the earlier
discussion?)

(Note the tracker is currenlty reporting some errors while we are
moving things to a new server; filing tickets is however working).

I am really trying to understand how to modify a few things that are being
done by the broctl scripts.

Likewise, can you describe in a bit more detail what you'd like to
do/see? We are planing to add a plugin interface to BroCtl, hopefully
in time for the next release, that will allow to have custom code
executed before/after any of the commands is run. We have a ticket for
that: http://tracker.icir.org/bro/ticket/370. Feel free to add more
thoughts to it. (The link to the proposal mentioned in the ticket is
currently not public, again because we're working on the
infrastructure; but here's a copy:
Bro Control Plugin Interface)

Robin

This is actually currently partially implemented in a branch. The problem with it is that it brings up a lot of questions about how it should work and how things should be handled from within BroControl. What I would personally like to see (but probably won't happen initially) is clustered tracefile processing.

Once we figure out a way forward on the read command, we can get it finished and integrated. Please file the ticket still if you don't mind. If you could be especially explicit about what features you need/want or how you'd like it to work, that would be a huge help.

Thanks!
  .Seth

I saw some posts about potentially having a ‘read’ command, but it doesn’t
appear to be implemented yet.

No, it’s not yet, but that would indeed be a good thing to have. I
don’t think we have a tracker ticket for that yet iirc, would you mind
filing one at http://tracker.icir.org, describing what you’d like to
see (and if you’re up for it, perhaps even summarizing the earlier
discussion?)

(Note the tracker is currenlty reporting some errors while we are
moving things to a new server; filing tickets is however working).

I would be happy to create a new ticket for the feature with additional info. This is a ticket from six months ago that is fairly close to what I would be requesting.

http://tracker.icir.org/bro/ticket/273

Should I create a new one or add to this?

I am really trying to understand how to modify a few things that are being
done by the broctl scripts.

Likewise, can you describe in a bit more detail what you’d like to
do/see? We are planing to add a plugin interface to BroCtl, hopefully
in time for the next release, that will allow to have custom code
executed before/after any of the commands is run. We have a ticket for
that: http://tracker.icir.org/bro/ticket/370. Feel free to add more
thoughts to it. (The link to the proposal mentioned in the ticket is
currently not public, again because we’re working on the
infrastructure; but here’s a copy:
http://www.icir.org/robin/tmp/broctl-plugins.html)

Sounds good. Thanks for the info.

Is there currently a way to run an offline trace using broctl?

This is actually currently partially implemented in a branch. The problem with it is that it brings up a lot of questions about how it should work and how things should be handled from within BroControl. What I would personally like to see (but probably won’t happen initially) is clustered tracefile processing.

Once we figure out a way forward on the read command, we can get it finished and integrated. Please file the ticket still if you don’t mind. If you could be especially explicit about what features you need/want or how you’d like it to work, that would be a huge help.

I found cached versions of both files below and was going to see if I could get them working on our test box.

source: broctl/BroControl/config.py @ 6683ca9
Revision 6683ca9, 14.5 KB checked in by seth, 3 months ago (diff)
source: broctl/bin/broctl.in @ 6683ca9
Revision 6683ca9, 23.3 KB checked in by seth, 3 months ago (diff)
“read” command for doing offline tracefile analysis through broctl.
There is more work to go, but so far, reading a single tracefile on
a standalone node works and it should work on a “localhost” cluster
config too but hasn’t been tested.

Again, I would be happy to add what I would like to see as far as features. Initially, having the ability to create a ‘trace execution file’ that steps through policy execution of an offline pcap file would be fabulous. This is mostly because I am so new (*terrible) at programming and am learning C as I go. So, with that in mind, I may include something that clearly already exists or doesn’t make any sense.

Thanks!
.Seth


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

Will

Yes, please add to that one.

Robin