Ticket #273 (closed Feature Request: Solved/Applied)

Opened 18 months ago

Last modified 4 weeks ago

"read" command in broctl

Reported by: seth Owned by:
Priority: Normal Milestone:
Component: BroControl Version: 1.5.1
Keywords: Cc:

Description

I think it would be helpful to have a "read" command in broctl so that if a user wants to test a tracefile against their complete production Bro environment, it becomes easily possible. This could help where people may be writing scripts that work in testing, but don't work properly with their full production configuration.

What I'm thinking is that I'd like to be able to do this...

[BroControl] > read /data/tracefiles/large-example1.trace

The log output from running that command could possibly be directed into a directory like <prefix>/spool/testing

Change History

comment:1 Changed 18 months ago by robin

  • Status changed from new to seen
  • Component changed from Bro to BroControl

Ack. I've been wanting to do this for a while already, except that so far I have been thinking about an external script that gets installed with broctl and that runs Bro offline with the right parameters mimicing what broctl uses live. Having a broctl cmd for that is an interesting thought too, not sure what is better?

comment:2 Changed 18 months ago by seth

I think that having it integrated into broctl would be really nice because the technique to test scripts becomes really easy and obvious without even having to read any documentation. It also pushes the centralization of functionality into broctl which I see as worthwhile for several reasons.

comment:3 Changed 10 months ago by will

Expounding upon what is already here, I would suggest the following functionality be added to Broctl.

usage: broctl [options] [file ...]
<file>                            |policy file, or stdin
-r|read |--readfile <readfile>    |reads from given tcpdump file
-t|trace|--tracefile <tracefile>  |activate execution tracing
-d|debug|--debug-policy           |activate policy file debugging

[BroControl] > -t execfile -r /data/badness.pcap local.policy.bro

The above would create log file for anything called by the local.policy.bro script. The execfile would contain executed tracing of the entire process used by broctl to include the use of broctl scripts.

cat execfile |less
0.000000 /usr/local/bro/share/bro/bro.init:303  function called: open_log_file(tag = 'alarm')
0.000000 /usr/local/bro/share/bro/bro.init:298          function called: log_file_name(tag = 'alarm')
0.000000 /usr/local/bro/share/bro/bro.init:297                  Builtin Function called: getenv(var = 'BRO_LOG_SUFFIX')
0.000000 /usr/local/bro/share/bro/bro.init:297                  Function return:
0.000000 /usr/local/bro/share/bro/bro.init:298                  Builtin Function called: fmt(va_args = '%s.%s', vararg0 = 'alarm', vararg1 = 'log')
0.000000 /usr/local/bro/share/bro/bro.init:298                  Function return: alarm.log
0.000000 /usr/local/bro/share/bro/bro.init:298          Function return: alarm.log
0.000000 /usr/local/bro/share/bro/bro.init:303          Builtin Function called: open(f = 'alarm.log')
0.000000 /usr/local/bro/share/bro/bro.init:303          Function return: file "alarm.log" of string
[...truncated]

Example of logs files created (this would obviously depend completely upon configuration of local.policy.bro)

drwx------  3 root  wheel      512 Apr 11 17:35 .state
-rw-r--r--  1 root  wheel      222 Apr 11 17:35 alarm.log
-rw-r--r--  1 root  wheel  5476223 Apr 11 17:35 badness
-rw-r--r--  1 root  wheel   390608 Apr 11 15:54 badness.pcap
-rw-r--r--  1 root  wheel     1118 Apr 11 17:35 conn.log
-rw-r--r--  1 root  wheel       92 Apr 11 17:35 ftp-ext.log
-rw-r--r--  1 root  wheel        0 Apr 11 17:35 ftp.log
-rw-r--r--  1 root  wheel       92 Apr 11 17:35 http-client-body.log
-rw-r--r--  1 root  wheel      344 Apr 11 17:35 http-ext-identified-files.log
-rw-r--r--  1 root  wheel     1595 Apr 11 17:35 http-ext.log
-rw-r--r--  1 root  wheel       16 Apr 11 17:35 http-user-agents.log
-rw-r--r--  1 root  wheel    33593 Apr 11 17:35 http.log
-rw-r--r--  1 root  wheel        0 Apr 11 17:35 known-hosts.log
-rw-r--r--  1 root  wheel        0 Apr 11 17:35 known-services.log
-rw-r--r--  1 root  wheel      472 Apr 11 17:35 notice.log
-rw-r--r--  1 root  wheel        0 Apr 11 17:35 null.log
-rw-r--r--  1 root  wheel    10025 Apr 11 17:35 prof.log
-rw-r--r--  1 root  wheel        0 Apr 11 17:35 signatures.log
-rw-r--r--  1 root  wheel      225 Apr 11 17:35 weird.log

comment:4 Changed 9 months ago by robin

  • Status changed from seen to testing
  • Milestone set to Bro1.6

An experimental version of this is now part of the plugin branch.

It's closer to Seth's version but allows to give additional Bro options and scripts so, e.g., execution tracing can be turned on.

comment:5 Changed 6 months ago by seth

  • Status changed from testing to closed
  • Resolution set to Solved/Applied

This is in broctl master now. Let's just say it's done.

comment:6 Changed 4 weeks ago by robin

  • Milestone Bro2.0 deleted

Milestone Bro2.0 deleted

Note: See TracTickets for help on using tickets.