Next:
Contents
Contents
Index
The
Bro
0.8 User Manual
Vern Paxson
Lawrence Berkeley National Laboratory
and
ICSI Center for Internet Research
International Computer Science Institute
vern@icir.org
Contents
List of Figures
List of Tables
Introduction
Getting Started
Running Bro
Building and installing Bro
Supported platforms
The Bro source code distribution
Installing Bro
Tuning BPF
Using Bro interactively
Specifying policy scripts
Running Bro on network traffic
Live traffic
Traffic traces
Modifying Bro policy
Bro flags and run-time environment
Flags
Run-time environment
Helper utilities
Scripts
The
hf
utility
The
cf
utility
Values, Types, and Constants
Overview
Bro Types
Type Conversions
Booleans
Boolean Constants
Logical Operators
Numeric Types
Numeric Constants
Mixing Numeric Types
Arithmetic Operators
Comparison Operators
Enumerations
Strings
String Constants
String Operators
Patterns
Pattern Constants
Pattern Operators
Exact Pattern Matching
Embedded Pattern Matching
Temporal Types
Temporal Constants
Temporal Operators
Temporal Negation
Temporal Addition
Temporal Subtraction
Temporal Multiplication
Temporal Division
Temporal Relationals
Port Type
Port Constants
Port Operators
Address Type
Address Constants
Address Operators
Net Type
Net Constants
Net Operators
Records
Defining records
Record Constants
Accessing Fields Using ``
$
''
Record Assignment
Tables
Declaring Tables
Initializing Tables
Table Attributes
Accessing Tables
Table Assignment
Deleting Table Elements
Sets
Files
Functions
Event handlers
The
any
type
Statements and Expressions
Statements
Expressions
Global and Local Variables
Overview
Scope
Modifiability
Typing
Initialization
Attributes
Refinement
Predefined Variables and Functions
Predefined Variables
active.bro
alert.bro
anon.bro
backdoor.bro
bro.init
code-red.bro
conn.bro
demux.bro
dns.bro
dns-mapping.bro
finger.bro
ftp.bro
hot.bro
hot-ids.bro
http.bro
http-abstract.bro
http-request.bro
icmp.bro
ident.bro
interconn.bro
login.bro
mime.bro
ntp.bro
port-names.bro
portmapper.bro
rules.bro
scan.bro
site.bro
smtp.bro
smtp-relay.bro
software.bro
ssh.bro
stepping.bro
tftp.bro
udp.bro
weird.bro
worm.bro
Uncategorized
Predefined Functions
Run-time errors for non-existing connections
Run-time errors for strings with NULs
Functions for manipulating strings
Functions for manipulating time
Analyzers and Events
Activating an Analyzer
Loading Analyzers
Filtering
General Processing Events
Generic Connection Analysis
The
connection
record
Definitions of connections
Generic TCP connection events
The
tcp
analyzer
The
udp
analyzer
Connection summaries
Connection functions
Site-specific information
Site variables
Site-specific functions
The
hot
Analyzer
hot
variables
hot
functions
The
scan
Analyzer
scan
variables
scan
functions
scan
event handlers
The
port-name
Module
The
mt
Module
The
log
Module
The
active
Module
The
demux
Module
The
dns
Module
The
dns_mapping
record
dns
variables
dns
event handlers
The
finger
Analyzer
finger
variables
finger
event handlers
The
frag
Module
The
hot-ids
Module
The
ftp
Analyzer
The
ftp_session_info
record
ftp
variables
ftp
functions
ftp
event handlers
The
http
Analyzer
http
variables
http
event handlers
The
ident
Analyzer
ident
variables
ident
event handlers
The
login
Analyzer
login
analyzer confusion
login
variables
login
functions
login
event handlers
The
portmapper
Analyzer
portmapper
variables
portmapper
functions
portmapper
event handlers
The
analy
Analyzer
The
signature
Module
The
SSL
Analyzer
The
x509
record
The
ssl_connection_info
record
SSL
variables
SSL
event handlers
The
weird
Module
Actions for ``weird'' events
weird
variables
weird
functions
Events handled by
conn_weird
Events handled by
conn_weird_addl
Events handled by
flow_weird
Events handled by
net_weird
Events generated by the standard scripts
Additional handlers for ``weird'' events
The
icmp
Analyzer
The
stepping
Analyzer
The
ssh-stepping
Module
The
backdoor
Analyzer
The
interconn
Analyzer
Signatures
Overview
Signature language
Conditions
Header conditions
Content conditions
Dependency conditions
Context conditions
Actions
snort2bro
Interactive Debugger
Overview
A Sample Session
Usage
Notes and Limitations
Reference
Missing Documentation
The use of
prefixes
The tcpdump save file that Bro writes
The
bro.init
initialization file
Assignment operators such as
+=
The notion of redefinition/refinement
The logging model
Timer management
SYN-FIN filtering
Split routing
Scan dropping
Operator precedence
Partial connections
Packet drops
The
@load
directive
Global statements
Inserting tables into tables
Demultiplexing
Bro init file
Hostnames vs. addresses
The hot-report script
Use of libpcap/BPF
The problem of evasion
Backscatter
Playing back traces
Discarders
Differences between this release and the previous one
Alert cascade
The need for subtyping
The need for CIDR masks
The wish list
Known bugs
Bibliography
Index
About this document ...
Vern Paxson 2004-03-21