whitelisting

Hi Tracy,

Here's what my whitelisting looks like in Bro 2.1:

# In my local.bro:

const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4, # Google example
                                           1.2.3.4 # Another example
                                         };

redef Notice::policy += {
      [$action = Notice::ACTION_EMAIL,
       $pred(n: Notice::Info) = { return n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist); } ]
};

It's a bit clunky, but it works. The n?$src clause is used to test whether the src field exists. The Bro Workshop has some great resources for learning about notice handling[1].

Just as a preview, this got cleaned up a bit for the upcoming Bro 2.2:

const external_port_scanners_whitelist = { 8.8.8.8, 8.8.4.4 };

hook Notice::policy(n: Notice::Info) &priority=10
      {
      if ( n$note == Scan::Port_Scan && n?$src && !(n$src in external_port_scanners_whitelist) )
            {
            add n$actions[Notice::ACTION_EMAIL];
            }

      }

The new notation might not look like a big benefit in this short example, but it comes in handy as your notice handling becomes more complex.

Hope this helps,

  --Vlad

[1] - Exercise 3 at: <http://bro.org/bro-workshop-2011/index.html>.

Tracy,

To add SSL Certificate Authorities to bro, I used this example: http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/005333.html

Bro stores its own list of CAs (generated from Mozilla’s list) and the system certificates are ignored.

B Little.

Hi, I installed Bro here and I can already tell it is extremely useful. I’m just learning how to use it so I have lots of questions. Here are a couple quick ones:

When parsing through the bro log files, how do I turn the timestamp column into something human readable? Where would I go to find this answer on my own? Is there a newbie guide to bro I should be reading? I don’t see how to search this mailing list’s archives.

Thanks,
-Brian

Brian Allen
Network Security Analyst
Washington University

There's a command "bro-cut" that should be installed in
the same directory as "bro". Run bro-cut with an invalid
option (such as "bro-cut -x") and it will output a usage
message. There are several command-line options to convert
timestamps to human-readable format.

If you look at any email that was sent out to the mailing list,
there is a link to the mailing list archives at the bottom
of the message.

The Bro documentation is at http://bro.org/documentation/index.html

The Bro documentation area is strangely lacking in some respects. The command you are looking for is bro-cut, a powerful little script that can display a human-readable timestamp and also display only the fields of the log files that you are interested in, and rearrange them if you want. The main thing to remember is that it's a classic stdin->stdout command and does not operate on the filename:
"bro-cut -d ts id.orig_h id.resp_h orig_bytes resp_bytes id.resp_p <conn.log" for example.

Or, after the archiving has been done:

ls -1 2013-03-27/conn.*gz | while read fn;do (export TZ=MST7MDT;zcat $fn | bro-cut -d );done | fgrep 192.168.131.135 | less

This would be if, for instance, your system's clock was running in UTC (which mine is).

Hey Brian,

As Shane mentioned, bro-cut is one way to make better sense of your logs. There's some additional information about working with your logs available from the Bro Workshop, at: <http://www.bro.org/bro-workshop-2011/> (Exercise 2). If you're new to Bro, I'd definitely recommend checking out the Bro Workshop exercises. There are videos and a lot of hands-on questions and solutions for many day-to-day tasks with Bro.

Another way of converting timestamps is simply with the date command (I often resort to this when I just need a single timestamp):

$ date -d @1367064229.605422
Sat Apr 27 08:03:49 EDT 2013

Hope this helps,

  --Vlad

Awesome. Thanks. I'm still wandering around the bro directories learning
where everything is.
Thanks,
-Brian

Brian,

bro has some helper utilities called cf and hf ( can’t recall if they are already installed with standard dist or not - used to be in aux directory in source)

but they are also available here :

ftp://ftp.ee.lbl.gov/cf-1.2.4.tar.gz 
ftp://ftp.ee.lbl.gov/hf-1.3.tar.gz

cf converts unix time in human readable format.

hf - resolves hostnames

one way to search logs is: grep conn.log | cf

(make sure cf is your path)

Also, from the bro mailing list archives:

http://mailman.icsi.berkeley.edu/pipermail/bro/2004-January/001373.html

Aashish

Brian,

bro has some helper utilities called cf and hf ( can’t recall if they are already installed with standard dist or not - used to be in aux directory in source)

but they are also available here :

ftp://ftp.ee.lbl.gov/cf-1.2.4.tar.gz 
ftp://ftp.ee.lbl.gov/hf-1.3.tar.gz

cf converts unix time in human readable format.

hf - resolves hostnames

one way to search logs is: grep conn.log | cf

(make sure cf is your path)

Also, from the bro mailing list archives:

http://mailman.icsi.berkeley.edu/pipermail/bro/2004-January/001373.html

Aashish

Brian,

bro has some helper utilities called cf and hf ( can’t recall if they are already installed with standard dist or not - used to be in aux directory in source)

but they are also available here :

ftp://ftp.ee.lbl.gov/cf-1.2.4.tar.gz 
ftp://ftp.ee.lbl.gov/hf-1.3.tar.gz

cf converts unix time in human readable format.

hf - resolves hostnames

one way to search logs is: grep conn.log | cf

(make sure cf is your path)

Also, from the bro mailing list archives:

http://mailman.icsi.berkeley.edu/pipermail/bro/2004-January/001373.html

Aashish

I made two scripts…findbro and zfindbro…I run findbro in current, and zfindbro in the archive dirs:

egrep -h "^#|$1" * | bro-cut -d

zegrep -h "^#|$1" * | bro-cut -d

Then just put in a host or ip or domain and you'll get everything on it…from dns lookups to connections.

James