During the course of its normal operation, Bro produces a large volume of log files. This series of exercises examines the Bro log output format, and highlights a few extremely useful utilities that can be used to extract data from and/or process this information.
Part 1: Generating Logs
Exercise
Run bro with the -r option, and provide the http.pcap file. For more information on bro options, please run bro with the -h option.
Note
Logs will be generated in the current working directory!
Part 2: Matching Records to Log Fields
Exercise
For this, you’ll need misc.pcap.
Run this command:
bro -r misc.pcap
and then interpret the fields in each of the resulting logs. Examine relevant records in the associated script files; be sure to look for the &log directive when examining those files.
Note
Record definitions can normally be found in $PREFIX/share/bro/base/protocols/<PROTO>/main.bro in the in the installation directory (or scripts/base/protocols/... in the Bro source tree).
Part 3: Connection Statistics
Bro summarizes each TCP and UDP connection as a single line in the conn.log. Because these connection summaries are quite detailed, you can extract plenty useful statistics from it. For the following two parts, use the log files generated from the trace 2009-M57-day11-18.trace.gz via bro -r 2009-M57-day11-18.trace.
Exercise
List the connections by in increasing order of duration, i.e., the longest connections at the end.
Exercise
Find all connections that last longer than one minute.
Exercise
Find all IP addresses of web servers that send more than more than 1 KB back to a client.
Exercise
Are there any web servers on non-standard ports (i.e., 80 and 8080)?
Exercise
Show a breakdown of the number of connections by service.
Exercise
Show the top 10 destination ports in descending order.
Exercise
What are the top 10 hosts (originators) that send the most traffic?
Part 4: HTTP Statistics
Exercise
What are the distinct browsers in this trace? What are the distinct MIME types of the downloaded URLS?
Exercise
What are the three most commonly accessed web sites?
Exercise
What are the top 10 referred hosts?
Part 5: Tweaking Log Output
Exercise
Tell Bro to include the new_separator.bro script, and then re-process http.pcap. After verifying that the separator character has, in fact, changed, modify the separator character defined in new_separator.bro to be something slightly more interesting. Next, re-run Bro and verify that the separator character worked as expected and that the #separator field at the top of the file was updated appropriately. Now, add a line to new_separator.bro that will change the comment character used in the log file; consult base/frameworks/logging/writers/ascii.bro to determine the appropriate incantation.
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
