Permalink
Browse files

Initial commit and plan for the Bro fire-scripts; inc http-fire.bro

  • Loading branch information...
1 parent 3650213 commit 22cdcc8734be825a7d21a5586c74ba14fda72979 @LiamRandall committed Feb 9, 2013
Showing with 265 additions and 0 deletions.
  1. +57 −0 fire-scripts/README.md
  2. +120 −0 fire-scripts/http-fire-detail-raw.bro
  3. +88 −0 fire-scripts/http-fire.bro
View
57 fire-scripts/README.md
@@ -0,0 +1,57 @@
+fire-scripts
+=
+
+The "print line" has to be one of the oldest debugging and development techniques taught in introductory CS classes. With the Bro Network Programming language developers are learning- protocols and protocol analyzers are complex. Even on seeming "simple" protocols the devil is in the details and edge cases of the RFC.
+
+These Bro scripts are intended to aid in the initial development and understanding of when Bro events are firing off as traffic drives the Bro Network Programming language forward through the state of each protocol. These scripts have little productioin value however will help to the user to understand the order, frequency and information available to the user as each event fires.
+
+We are using the following naming convention for each protocol script:
+
+**NAME-fire.bro:**
+As each event fires print do a printline to the screen.
+
+**NAME-fire-count.bro:** Upon the completion of Bro and the firing of the [bro_done](http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-bro_done) event show some simple metrics as to the frequency of each event.
+
+**NAME-fire-detail:** Warning, verbose. Print the raw variables out with some basic formating for each variable.
+
+**NAME-fire-detail-raw:** Warning verbose. Just print each of the raw variable out to the screen as each event fires.
+
+For a detailed and authoritative description of each Bro script please see:
+
+[event.bif](http://www.bro-ids.org/documentation/scripts/base/event.bif.html)
+
+-or-
+
+$BROHOME$/bro/share/bro/base/event.bif.bro
+
+This should be considered a work-in-progress; for the latest version please see [my git-hub account](https://github.com/LiamRandall). I will begin with the most common protocols first; eventually I would like to add a series of scripts that help the user quickly identify abnormalities in the pcap samples. The more programming I do in the Bro Network Programming language the more great ideas I have- like many others in this small community I know the future is full of possiblity and that Bro-IDS is only the first great program to be written in the Bro Network Programming Lanuage. I sincerely hope these assist you to get up to speed quickly.
+
+Sincerely,
+
+Liam Randall [@Hectaman](https://twitter.com/hectaman)
+
+
+**Key:**
+- [ ] Not yet started
+- [-] Under development
+- [X] Complete
+
+
+**Current Status:**
+
+- [ ] http
+- - [X] http-fire.bro
+- - [ ] http-fire-count.bro
+- - [ ] http-fire-detail.bro
+- - [ ] http-fire-detail-raw.bro
+- [ ] dns
+- - [ ] dns-fire.bro
+- - [ ] dns-fire-count.bro
+- - [ ] dns-fire-detail.bro
+- - [ ] dns-fire-detail-raw.bro
+- [ ] ssl-tls
+- - [ ] ssl-tls-fire.bro
+- - [ ] ssl-tls-fire-count.bro
+- - [ ] ssl-tls-fire-detail.bro
+- - [ ] ssl-tls-fire-detail-raw.bro
+
View
120 fire-scripts/http-fire-detail-raw.bro
@@ -0,0 +1,120 @@
+## http-fire-detail-raw.bro
+##
+## Part of the Bro fire-scripts
+## https://github.com/LiamRandall/bro-scripts/fire-scripts/README.md
+## Upon firing of each event for the http protocol print the raw variable values to screen
+##
+## TODO:
+## Test for each variable, print it, if not set not that
+
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+ {
+ print fmt("---------------------------------------------------------------");
+
+ print fmt("event http_header");
+# print fmt("connection: %s", c);
+ print fmt(" connection: %s", c);
+ }
+
+event http_request(c:connection, method:string, original_URI: string, unescaped_URI: string, version: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_request");
+ print fmt(" connection: %s", c);
+# print fmt("");
+ }
+event http_reply(c: connection, version: string, code: count, reason: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_reply");
+ print fmt(" connection: %s", c);
+ }
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_header");
+ print fmt(" connection: %s", c);
+
+ }
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_all_headers");
+ print fmt(" connection: %s", c);
+ }
+
+event http_begin_entity(c: connection, is_orig: bool)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_begin_entity");
+ print fmt(" connection: %s", c);
+
+ }
+
+event http_end_entity(c: connection, is_orig: bool)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_end_entity");
+ print fmt(" connection: %s", c);
+ }
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_entity_data");
+ print fmt(" connection: %s", c);
+ }
+
+event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_content_type");
+ print fmt(" connection: %s", c);
+
+ }
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_message_done");
+ print fmt(" connection: %s", c);
+ }
+
+event http_event(c: connection, event_type: string, detail: string)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_event");
+ print fmt(" connection: %s", c);
+ }
+
+event http_stats(c: connection, stats: http_stats_rec)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_stats");
+ print fmt(" connection: %s", c);
+ }
+
+event http_signature_found(c: connection)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_signature_found");
+ print fmt(" connection: %s", c);
+ }
+
+event http_proxy_signature_found(c: connection)
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("event http_proxy_signature_found");
+ print fmt(" connection: %s", c);
+ }
+
+
+
+event bro_done()
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("Bro is done");
+ }
View
88 fire-scripts/http-fire.bro
@@ -0,0 +1,88 @@
+## http-fire.bro
+##
+## Part of the Bro fire-scripts
+## https://github.com/LiamRandall/bro-scripts/fire-scripts/README.md
+## Upon firing of each event for the http protocol simply print a line.
+
+
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+ {
+ print fmt("event http_header");
+ }
+
+event http_request(c:connection, method:string, original_URI: string, unescaped_URI: string, version: string)
+ {
+ print fmt("event http_request");
+ }
+event http_reply(c: connection, version: string, code: count, reason: string)
+ {
+ print fmt("event http_reply");
+ }
+
+event http_header(c: connection, is_orig: bool, name: string, value: string)
+ {
+ print fmt("event http_header");
+
+ }
+
+event http_all_headers(c: connection, is_orig: bool, hlist: mime_header_list)
+ {
+ print fmt("event http_all_headers");
+ }
+
+event http_begin_entity(c: connection, is_orig: bool)
+ {
+ print fmt("event http_begin_entity");
+
+ }
+
+event http_end_entity(c: connection, is_orig: bool)
+ {
+ print fmt("event http_end_entity");
+ }
+
+event http_entity_data(c: connection, is_orig: bool, length: count, data: string)
+ {
+ print fmt("event http_entity_data");
+ }
+
+event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
+ {
+ print fmt("event http_content_type");
+
+ }
+
+event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
+ {
+ print fmt("event http_message_done");
+ }
+
+event http_event(c: connection, event_type: string, detail: string)
+ {
+ print fmt("event http_event");
+ }
+
+event http_stats(c: connection, stats: http_stats_rec)
+ {
+ print fmt("event http_stats");
+ }
+
+event http_signature_found(c: connection)
+ {
+ print fmt("event http_signature_found");
+ }
+
+event http_proxy_signature_found(c: connection)
+ {
+ print fmt("event http_proxy_signature_found");
+ }
+
+
+
+event bro_done()
+ {
+ print fmt("---------------------------------------------------------------");
+ print fmt("Bro is done");
+ }
+

0 comments on commit 22cdcc8

Please sign in to comment.