Bro Package Index

Bro has the following script packages (e.g. collections of related scripts in a common directory). If the package directory contains a __load__.bro script, it supports being loaded in mass as a whole directory for convenience.

Packages/scripts in the base/ directory are all loaded by default, while ones in policy/ provide functionality and customization options that are more appropriate for users to decide whether they’d like to load it or not.

base/frameworks/broker

The Broker communication framework facilitates connecting to remote Bro instances to share state and transfer events.

base/frameworks/logging

The logging framework provides a flexible key-value based logging interface.

base/frameworks/logging/postprocessors

Support for postprocessors in the logging framework.

base/frameworks/input

The input framework provides a way to read previously stored data either as an event stream or into a Bro table.

base/frameworks/analyzer

The analyzer framework allows to dynamically enable or disable Bro’s protocol analyzers, as well as to manage the well-known ports which automatically activate a particular analyzer for new connections.

base/frameworks/files

The file analysis framework provides an interface for driving the analysis of files, possibly independent of any network protocol over which they’re transported.

base/frameworks/files/magic

base/bif

base/bif/plugins

base/frameworks/reporter

This framework is intended to create an output and filtering path for internally generated messages/warnings/errors.

base/frameworks/notice

The notice framework enables Bro to “notice” things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows Bro to be customized to the different needs that sites have.

base/frameworks/netcontrol

The NetControl framework provides a way for Bro to interact with networking hard- and software, e.g. for dropping and shunting IP addresses/connections, etc.

base/frameworks/netcontrol/plugins

Plugins for the NetControl framework.

base/frameworks/openflow

The OpenFlow framework exposes the data structures and functions necessary to interface to OpenFlow capable hardware.

base/frameworks/openflow/plugins

Plugins for the OpenFlow framework.

base/frameworks/cluster

The cluster framework provides for establishing and controlling a cluster of Bro instances.

base/frameworks/control

The control framework provides the foundation for providing “commands” that can be taken remotely at runtime to modify a running Bro instance or collect information from the running instance.

base/frameworks/dpd

The DPD (dynamic protocol detection) activates port-independent protocol detection and selectively disables analyzers if protocol violations occur.

base/frameworks/signatures

The signature framework provides for doing low-level pattern matching. While signatures are not Bro’s preferred detection tool, they sometimes come in handy and are closer to what many people are familiar with from using other NIDS.

base/frameworks/packet-filter

The packet filter framework supports how Bro sets its BPF capture filter.

base/frameworks/software

The software framework provides infrastructure for maintaining a table of software versions seen on the network. The version parsing itself is carried out by external protocol-specific scripts that feed into this framework.

base/frameworks/communication

The communication framework facilitates connecting to remote Bro or Broccoli instances to share state and transfer events.

base/frameworks/intel

The intelligence framework provides a way to store and query intelligence data (such as IP addresses or strings). Metadata can also be associated with the intelligence.

base/frameworks/sumstats

The summary statistics framework provides a way to summarize large streams of data into simple reduced measurements.

base/frameworks/sumstats/plugins

Plugins for the summary statistics framework.

base/frameworks/tunnels

The tunnels framework handles the tracking/logging of tunnels (e.g. Teredo, AYIYA, or IP-in-IP such as 6to4 where “IP” is either IPv4 or IPv6).

base/protocols/conn

Support for connection (TCP, UDP, or ICMP) analysis.

base/protocols/dce-rpc

Support for DCE/RPC (Distributed Computing Environment/Remote Procedure Calls) protocol analysis.

base/protocols/dhcp

Support for Dynamic Host Configuration Protocol (DHCP) analysis.

base/protocols/dnp3

Support for Distributed Network Protocol (DNP3) analysis.

base/protocols/dns

Support for Domain Name System (DNS) protocol analysis.

base/protocols/ftp

Support for File Transfer Protocol (FTP) analysis.

base/protocols/ssl

Support for Secure Sockets Layer (SSL) protocol analysis.

base/files/x509

Support for X509 certificates with the file analysis framework.

base/files/hash

Support for file hashes with the file analysis framework.

base/protocols/http

Support for Hypertext Transfer Protocol (HTTP) analysis.

base/protocols/imap

Support for the Internet Message Access Protocol (IMAP).

Note that currently the IMAP analyzer only supports analyzing IMAP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get mails from IMAP sessions, only X509 certificates.

base/protocols/irc

Support for Internet Relay Chat (IRC) protocol analysis.

base/protocols/krb

Support for Kerberos protocol analysis.

base/protocols/modbus

Support for Modbus protocol analysis.

base/protocols/mysql

Support for MySQL protocol analysis.

base/protocols/ntlm

Support for NT LAN Manager (NTLM) protocol analysis.

base/protocols/smb

Definitions of constants used by the SMB protocol.

base/protocols/pop3

Support for POP3 (Post Office Protocol) protocol analysis.

base/protocols/radius

Support for RADIUS protocol analysis.

base/protocols/rdp

Support for Remote Desktop Protocol (RDP) analysis.

base/protocols/rfb

Support for Remote FrameBuffer analysis. This includes all VNC servers.

base/protocols/sip

Support for Session Initiation Protocol (SIP) analysis.

base/protocols/snmp

Support for Simple Network Management Protocol (SNMP) analysis.

base/protocols/smtp

Support for Simple Mail Transfer Protocol (SMTP) analysis.

base/protocols/socks

Support for Socket Secure (SOCKS) protocol analysis.

base/protocols/ssh

Support for SSH protocol analysis.

base/protocols/syslog

Support for Syslog protocol analysis.

base/protocols/tunnels

Provides DPD signatures for tunneling protocols that otherwise wouldn’t be detected at all.

base/protocols/xmpp

Support for the Extensible Messaging and Presence Protocol (XMPP).

Note that currently the XMPP analyzer only supports analyzing XMPP sessions until they do or do not switch to TLS using StartTLS. Hence, we do not get actual chat information from XMPP sessions, only X509 certificates.

base/files/pe

Support for Portable Executable (PE) file analysis.

base/files/extract

Support for extracting files with the file analysis framework.

base/files/unified2

Support for Unified2 files in the file analysis framework.

broxygen

This package is loaded during the process which automatically generates reference documentation for all Bro scripts (i.e. “Broxygen”). Its only purpose is to provide an easy way to load all known Bro scripts plus any extra scripts needed or used by the documentation process.

policy/frameworks/intel/seen

Scripts that send data to the intelligence framework.

policy/integration/barnyard2

Integration with Barnyard2.

policy/integration/collective-intel

The scripts in this module are for deeper integration with the Collective Intelligence Framework (CIF) since Bro’s Intel framework doesn’t natively behave the same as CIF nor does it store and maintain the same data in all cases.

policy/misc/detect-traceroute

Detect hosts that are running traceroute.

policy/protocols/smb

Support for SMB protocol analysis.

policy/tuning

Miscellaneous tuning parameters.

policy/tuning/defaults

Sets various defaults, and prints warning messages to stdout under certain conditions.

Next Page

Bro Script Index

Previous Page

File Analyzers

Copyright 2016, The Bro Project. Last updated on October 17, 2017. Created using Sphinx 1.5.2.