Bro contains a programming language designed specifically to be able to represent network-related abstractions (e.g. addresses and ports) and as such offers a great deal of functionality and flexibility in terms of helping you accomplish your network-monitoring goals. The following exercises all explore using Bro’s scripting language.
Part 1: String Manipulation and Patterns
The string type holds character-string values that are used to represent and manipulate text, so let’s learn to do that since those kinds of tasks are likely to show up later.
Exercise
All the exercises for this part are described within the part1.bro bro script, to which you’ll add your own code. It can be run using Bro at any time to check your progress:
bro part1.bro
Solution
A complete solution is found in part1-solutions.bro. You can look at it for hints on how to solve a specific exercise, or run it to see the expected output:
bro part1-solutions.bro
Part 2: Tables and Sets and Vectors
There are several container/collection types that are commonly used in Bro for accumulating/storing state information and this tutorial will go over the basic usage of each: table, set, and vector.
Exercise
All exercises are described within part2.bro. Follow the tasks that the comments set out and add your own code to it. Run it using Bro at any time to check/test progress:
bro part2.bro
Solution
A completed solution is found in part2-solutions.bro. Look at it for hints or run it to see the expected output:
bro part2-solutions.bro
Part 3: Records and Functions
A record is a collection of values, with each having a name (referred to as the record’s fields), and a type. There’s no restriction on allowed types, which means they can contain other, nested record fields or even function types which are just procedural abstractions most programmers are already familiar with, but will be described in this exercise.
Exercise
All exercises are described within part3.bro. Follow the tasks that the comments set out and add your own code to it. Run it using Bro at any time to check/test progress:
bro part3.bro
Solution
A completed solution is found in part3-solutions.bro. Look at it for hints or run it to see the expected output:
bro part3-solutions.bro
Part 4: Events
Bro provides an event engine as the primary facilitator of network analysis. And the way a Bro programmer (Brogrammer) can tap into the engine is at the scripting-layer through event handlers, so this part of the exercise looks at how to do that.
Exercise
All exercises are described within part4.bro. You’ll also need browse.pcap. Follow the tasks that the comments set out and add your own code to it. Run it using Bro at any time to check/test progress:
bro -r browse.pcap part4.bro
Solution
A completed solution is found in part4-solutions.bro. Look at it for hints or run it to see the expected output:
bro -r browse.pcap part4-solutions.bro
Page Contents
Quick Links
- 13 February 2020: Ask the Zeeksperts - Aashish Sharma
- 18 February 2020 - Portland OR: Zeek Days Workshops
- 27 February 2020: Ask the Zeeksperts
- 7-9 October 2020 - Austin, Texas: ZeekWeek 2020
