> How quickly
> is an event (say, a TCP session finishing the normal way) logged? How can
> I control this?
Logging occurs whenever your policy script executes a "log" statement,
and it goes out immediately via syslog(). If you're printing using
"print" to a file, then it's block buffered. Adding a flush mechanism
is on the to-do list.
Bro generally strives to generate events as soon as it can, so the policy
script immediately gets a crack at them (and can promptly log if need be).
connection_established is generated when the SYN ack is seen (Bro doesn't
wait for the final ack completing the three-way handshake, because often it
won't ever see it because of use of a SYN/FIN/RST filter). Likewise,
connection_rejected is generated as soon as the RST is seen. However,
connection_attempt is only generated five minutes after the first SYN
is seen, to give the connection time to first become established.
Bro could generate this sooner, or make it tunable, or generate a
connection_first_packet event on the first packet (if the policy
script includes a handler). I'd be interested in hearing from folks
who find they'd like that - it's an easy addition.
I've just started to investigate bro here. I'd like to use it for real
time network monitoring, and an obvious (to me) question is: How quickly
is an event (say, a TCP session finishing the normal way) logged? How can
I control this?
I assume I might have to turn off stdio buffering to be able to see such
events right away. Are there other knobs to adjust?
Steinar Haug, Nethelp consulting, sthaug(a)nethelp.no
> - is there an archive for this mailing list?
Yes. To get a list of past messages, send a message to bro-request(a)lbl.gov
with the subject "archive ls latest". To then retrieve a message, use
"archive get latest/<number>" for a message with the given number, or
"archive get latest/<number>*" for those messages that match the pattern
<number>* (so "archive get latest/*" retrieves all of the messages).
Unfortunately, when using a pattern each message matching the pattern is
returned in a separate message, which is a bit clunky.
> - is there more documentation or any faqs specifically for Bro?
No, just what's distributed in the doc/ directory. This is a major hole.
> - is a signature data file utilized? If so, what module(s) access it?
When you run Bro, you give it as an argument the policy file(s) to load.
The usual one you use is "mt", which corresponds to pub-policy/mt.bro.
It then @load's a bunch of other policy files, which are also found
> - are there some example log files available?
See doc/conn-logs for a description of the connection summaries generated
by tcp.bro (I assume this is what you're asking about).
> We are currently waiting for the hardware to install Bro, but are trying
> to determine the formats of the signature file and log files for design
Bro doesn't have signature files per se. It instead has a language for
expressing event handlers. One common thing to do with these is express
signatures. It's also the policy files that write whatever logs you want
them to write. The default logs written are those produced by tcp.bro,
ftp.bro, and finger.bro. The language is informally described in the USENIX
paper, and meant to be fairly clear upon study of the policies distributed
We are a senior project group from the University of Colorado at Boulder.
We are beginning research into intrusion detection and are considering
using Bro. After browsing the source code, we have questions:
- is there an archive for this mailing list?
- is there more documentation or any faqs specifically for Bro?
- is a signature data file utilized? If so, what module(s) access it?
- are there some example log files available?
We are currently waiting for the hardware to install Bro, but are trying
to determine the formats of the signature file and log files for design
Any assistance would be greatly appreciated.
Dave, Kelly, Jason, Mike, Paul