Table of Contents

• Bro Reference Manual
• 1 Introduction
• 2 Getting Started
  • 2.1 Running Bro
    • 2.1.1 Building and installing Bro
      • 2.1.1.1 Supported platforms
      • 2.1.1.2 The Bro source code distribution
      • 2.1.1.3 Installing Bro
      • 2.1.1.4 Tuning BPF
    • 2.1.2 Using Bro interactively
    • 2.1.3 Specifying policy scripts
    • 2.1.4 Running Bro on network traffic
      • 2.1.4.1 Live traffic
      • 2.1.4.2 Traffic traces
    • 2.1.5 Modifying Bro policy
    • 2.1.6 Bro flags and run-time environment
      • 2.1.6.1 Flags
      • 2.1.6.2 Run-time environment
  • 2.2 Helper utilities
    • 2.2.1 Scripts
    • 2.2.2 The hf utility
    • 2.2.3 The cf utility
• 3 Values, Types, and Constants
  • 3.1 Values Overview
    • 3.1.1 Bro Types
    • 3.1.2 Type Conversions
  • 3.2 Booleans
    • 3.2.1 Boolean Constants
    • 3.2.2 Logical Operators
  • 3.3 Numeric Types
    • 3.3.1 Numeric Constants
    • 3.3.2 Mixing Numeric Types
    • 3.3.3 Arithmetic Operators
    • 3.3.4 Comparison Operators
  • 3.4 Enumerations
  • 3.5 Strings
    • 3.5.1 String Constants
    • 3.5.2 String Operators
  • 3.6 Patterns
    • 3.6.1 Pattern Constants
    • 3.6.2 Pattern Operators
      • 3.6.2.1 Exact Pattern Matching
      • 3.6.2.2 Embedded Pattern Matching
  • 3.7 Temporal Types
    • 3.7.1 Temporal Constants
    • 3.7.2 Temporal Operators
      • 3.7.2.1 Temporal Negation
      • 3.7.2.2 Temporal Addition
      • 3.7.2.3 Temporal Subtraction
      • 3.7.2.4 Temporal Multiplication
      • 3.7.2.5 Temporal Division
      • 3.7.2.6 Temporal Relationals
  • 3.8 Port Type
    • 3.8.1 Port Constants
    • 3.8.2 Port Operators
  • 3.9 Address Type
    • 3.9.1 Address Constants
    • 3.9.2 Address Operators
  • 3.10 Net Type
    • 3.10.1 Net Constants
    • 3.10.2 Net Operators
  • 3.11 Records
    • 3.11.1 Defining records
    • 3.11.2 Record Constants
    • 3.11.3 Accessing Fields Using “$”
    • 3.11.4 Record Assignment
  • 3.12 Tables
    • 3.12.1 Declaring Tables
    • 3.12.2 Initializing Tables
    • 3.12.3 Table Attributes
    • 3.12.4 Accessing Tables
    • 3.12.5 Table Assignment
    • 3.12.6 Deleting Table Elements
  • 3.13 Sets
  • 3.14 Files
  • 3.15 Functions
  • 3.16 Event handlers
  • 3.17 The any type
• 4 Statements and Expressions
  • 4.1 Statements
  • 4.2 Expressions
• 5 Global and Local Variables
  • 5.1 Variables Overview
    • 5.1.1 Scope
    • 5.1.2 Assignment & call semantics
    • 5.1.3 Modifiability
    • 5.1.4 Typing
    • 5.1.5 Initialization
    • 5.1.6 Attributes
    • 5.1.7 Refinement
• 6 Predefined Variables and Functions
  • 6.1 Predefined Variables
    • 6.1.1 active.bro
    • 6.1.2 anon.bro
    • 6.1.3 backdoor.bro
    • 6.1.4 bro.init
    • 6.1.5 code-red.bro
    • 6.1.6 conn.bro
    • 6.1.7 demux.bro
    • 6.1.8 dns.bro
    • 6.1.9 dns-mapping.bro
    • 6.1.10 finger.bro
    • 6.1.11 ftp.bro
    • 6.1.12 hot.bro
    • 6.1.13 hot-ids.bro
    • 6.1.14 http.bro
    • 6.1.15 http-abstract.bro
    • 6.1.16 http-request.bro
    • 6.1.17 icmp.bro
    • 6.1.18 ident.bro
    • 6.1.19 interconn.bro
    • 6.1.20 irc.bro
    • 6.1.21 login.bro
    • 6.1.22 mime.bro
    • 6.1.23 notice.bro
    • 6.1.24 ntp.bro
    • 6.1.25 pop3.bro
    • 6.1.26 port-names.bro
    • 6.1.27 portmapper.bro
    • 6.1.28 scan.bro
    • 6.1.29 signatures.bro
    • 6.1.30 site.bro
    • 6.1.31 smtp.bro
    • 6.1.32 smtp-relay.bro
    • 6.1.33 software.bro
    • 6.1.34 ssh.bro
    • 6.1.35 stepping.bro
    • 6.1.36 tftp.bro
    • 6.1.37 udp.bro
    • 6.1.38 weird.bro
    • 6.1.39 worm.bro
    • 6.1.40 Uncategorized
  • 6.2 Predefined Functions
    • 6.2.1 Run-time errors for non-existing connections
    • 6.2.2 Run-time errors for strings with NULs
    • 6.2.3 Functions for manipulating strings
    • 6.2.4 Functions for manipulating time
• 7 Analyzers and Events
  • 7.1 Activating an Analyzer
    • 7.1.1 Loading Analyzers
    • 7.1.2 Filtering
  • 7.2 Module Facility
  • 7.3 General Processing Events
  • 7.4 Generic Connection Analysis
    • 7.4.1 The connection record
    • 7.4.2 Definitions of connections
    • 7.4.3 Generic TCP connection events
    • 7.4.4 The tcp analyzer
    • 7.4.5 The udp analyzer
    • 7.4.6 Connection summaries
    • 7.4.7 Connection functions
  • 7.5 Site-specific information
    • 7.5.1 Site variables
    • 7.5.2 Site-specific functions
  • 7.6 The hot Analyzer
    • 7.6.1 hot variables
    • 7.6.2 hot functions
  • 7.7 The scan Analyzer
    • 7.7.1 scan variables
    • 7.7.2 scan functions
    • 7.7.3 scan event handlers
  • 7.8 The port-name Analysis Script
  • 7.9 The brolite Analysis Script
  • 7.10 The alarm Analysis Script
  • 7.11 The active Analysis Script
  • 7.12 The demux Analysis Script
  • 7.13 The dns Analysis Script
    • 7.13.1 The dns_mapping record
    • 7.13.2 dns variables
    • 7.13.3 dns event handlers
  • 7.14 The finger Analyzer
    • 7.14.1 finger variables
    • 7.14.2 finger event handlers
  • 7.15 The frag Analysis Script
  • 7.16 The hot-ids Analysis Script
  • 7.17 The ftp Analyzer
    • 7.17.1 The ftp_session_info record
    • 7.17.2 ftp variables
    • 7.17.3 ftp functions
    • 7.17.4 ftp event handlers
    • 7.17.5 ftp notices
  • 7.18 The http Analyzer
    • 7.18.1 http variables
    • 7.18.2 http event handlers
  • 7.19 The ident Analyzer
    • 7.19.1 ident variables
    • 7.19.2 ident event handlers
  • 7.20 The irc Analyzer
    • 7.20.1 irc records
    • 7.20.2 irc variables
    • 7.20.3 irc event handlers
  • 7.21 The login Analyzer
    • 7.21.1 login analyzer confusion
    • 7.21.2 login variables
    • 7.21.3 login functions
    • 7.21.4 login event handlers
  • 7.22 The pop3 Analyzer
    • 7.22.1 The pop3_session_info record
    • 7.22.2 pop3 variables
    • 7.22.3 pop3 event handlers
  • 7.23 The portmapper Analyzer
    • 7.23.1 portmapper variables
    • 7.23.2 portmapper functions
    • 7.23.3 portmapper event handlers
  • 7.24 The analy Analyzer
  • 7.25 The signature Analysis Script
  • 7.26 The SSL Analyzer
    • 7.26.1 The x509 record
    • 7.26.2 The ssl_connection_info record
    • 7.26.3 SSL variables
    • 7.26.4 SSL event handlers
  • 7.27 The weird Analysis Script
    • 7.27.1 Actions for “weird” events
    • 7.27.2 weird variables
    • 7.27.3 weird functions
    • 7.27.4 Events handled by conn_weird
    • 7.27.5 Events handled by conn_weird_addl
    • 7.27.6 Events handled by flow_weird
    • 7.27.7 Events handled by net_weird
    • 7.27.8 Events generated by the standard scripts
    • 7.27.9 Additional handlers for “weird” events
  • 7.28 The icmp Analyzer
  • 7.29 The stepping Analyzer
  • 7.30 The ssh-stepping Analysis Script
  • 7.31 The backdoor Analyzer
  • 7.32 The interconn Analyzer
• 8 Signatures
  • 8.1 Overview
  • 8.2 Signature language
    • 8.2.1 Conditions
      • 8.2.1.1 Header conditions
      • 8.2.1.2 Content conditions
      • 8.2.1.3 Dependency conditions
      • 8.2.1.4 Context conditions
    • 8.2.2 Actions
  • 8.3 snort2bro
• 9 Interactive Debugger
  • 9.1 Debugger Overview
  • 9.2 A Sample Session
  • 9.3 Usage
  • 9.4 Notes and Limitations
  • 9.5 Reference
• 10 Missing Documentation
  • 10.1 The use of prefixes
  • 10.2 The tcpdump save file that Bro writes
  • 10.3 The bro.init initialization file
  • 10.4 Assignment operators such as +=
  • 10.5 The notion of redefinition/refinement
  • 10.6 The notice/alarm model
  • 10.7 Timer management
  • 10.8 SYN-FIN filtering
  • 10.9 Split routing
  • 10.10 Scan dropping
  • 10.11 Operator precedence
  • 10.12 Partial connections
  • 10.13 Packet drops
  • 10.14 The load directive
  • 10.15 Global statements
  • 10.16 Inserting tables into tables
  • 10.17 Demultiplexing
  • 10.18 Bro init file
  • 10.19 Hostnames vs. addresses
  • 10.20 The hot-report script
  • 10.21 Use of libpcap/BPF
  • 10.22 The problem of evasion
  • 10.23 Backscatter
  • 10.24 Playing back traces
  • 10.25 Discarders
  • 10.26 Differences between this release and the previous one
  • 10.27 Notice cascade
  • 10.28 The need for subtyping
  • 10.29 The need for CIDR masks
  • 10.30 The wish list
  • 10.31 Known bugs
  • 10.32 Execution tracing
  • 10.33 Policy analyzers
  • 10.34 Trace rewriting
  • 10.35 Rule benchmarking
  • 10.36 Connection state history recording
• 11 References
• Index