Next:
List of Figures
Up:
The Bro 0.8 User
Previous:
The Bro 0.8 User
Index
Contents
List of Figures
List of Tables
Introduction
Getting Started
Running Bro
Building and installing Bro
Using Bro interactively
Specifying policy scripts
Running Bro on network traffic
Modifying Bro policy
Bro flags and run-time environment
Helper utilities
Scripts
The hf utility
The cf utility
Values, Types, and Constants
Overview
Bro Types
Type Conversions
Booleans
Boolean Constants
Logical Operators
Numeric Types
Numeric Constants
Mixing Numeric Types
Arithmetic Operators
Comparison Operators
Enumerations
Strings
String Constants
String Operators
Patterns
Pattern Constants
Pattern Operators
Temporal Types
Temporal Constants
Temporal Operators
Port Type
Port Constants
Port Operators
Address Type
Address Constants
Address Operators
Net Type
Net Constants
Net Operators
Records
Defining records
Record Constants
Accessing Fields Using ``$''
Record Assignment
Tables
Declaring Tables
Initializing Tables
Table Attributes
Accessing Tables
Table Assignment
Deleting Table Elements
Sets
Files
Functions
Event handlers
The any type
Statements and Expressions
Statements
Expressions
Global and Local Variables
Overview
Scope
Modifiability
Typing
Initialization
Attributes
Refinement
Predefined Variables and Functions
Predefined Variables
Predefined Functions
Run-time errors for non-existing connections
Run-time errors for strings with NULs
Functions for manipulating strings
Functions for manipulating time
Analyzers and Events
Activating an Analyzer
Loading Analyzers
Filtering
General Processing Events
Generic Connection Analysis
The connection record
Definitions of connections
Generic TCP connection events
The tcp analyzer
The udp analyzer
Connection summaries
Connection functions
Site-specific information
Site variables
Site-specific functions
The hot Analyzer
hot variables
hot functions
The scan Analyzer
scan variables
scan functions
scan event handlers
The port-name Module
The mt Module
The log Module
The active Module
The demux Module
The dns Module
The dns_mapping record
dns variables
dns event handlers
The finger Analyzer
finger variables
finger event handlers
The frag Module
The hot-ids Module
The ftp Analyzer
The ftp_session_info record
ftp variables
ftp functions
ftp event handlers
The http Analyzer
http variables
http event handlers
The ident Analyzer
ident variables
ident event handlers
The login Analyzer
login analyzer confusion
login variables
login functions
login event handlers
The portmapper Analyzer
portmapper variables
portmapper functions
portmapper event handlers
The analy Analyzer
The weird Module
Actions for ``weird'' events
weird variables
weird functions
Events handled by conn_weird
Events handled by conn_weird_addl
Events handled by flow_weird
Events handled by net_weird
Events generated by the standard scripts
Additional handlers for ``weird'' events
The icmp Analyzer
The stepping Analyzer
The ssh-stepping Module
The backdoor Analyzer
The interconn Analyzer
Missing Documentation
The use of prefixes
The tcpdump save file that Bro writes
The bro.init initialization file
Assignment operators such as +=
The notion of redefinition/refinement
The logging model
Timer management
SYN-FIN filtering
Split routing
Scan dropping
Operator precedence
Partial connections
Packet drops
The @load directive
Global statements
Inserting tables into tables
Demultiplexing
Bro init file
Hostnames vs. addresses
The hot-report script
Use of libpcap/BPF
The problem of evasion
Backscatter
Playing back traces
Discarders
Differences between this release and the previous one
Alert cascade
The need for subtyping
The need for CIDR masks
The wish list
Known bugs
Bibliography
Index
Vern Paxson 2002-11-17