A swiss army knife is a plethora of tools wrapped up into one friendly and compact system. When describing anything as a swiss army knife, we mean they have a wide range of uses, whether it be knowledge, applicability, adaptivity, or otherwise.
Bro, the leading platform for network security monitoring, is quite an exciting ecosystem of wire-speed security analyzers and triggers. It takes a unique approach to network security monitoring, meaning it takes a bit of time to get used to it.
Bro was renamed to Zeek in 2018, but many still refer to it as “Bro.” For this article, we will refer to it as “Bro.” This is a gentle intro to familiarizing yourself with what Bro has to offer, complete with example code.
Bro code sample
Here is a simple hello world using bro.
Bro code samples
Here is a simple hello world using bro.
Event bro_init() { print “Hello, World!”; } event bro_done() { print “Goodbye, World!”; }
This uses the simple initialize() and finish() callbacks popular in most programming languages.
The ability of bro to act on various events helps us achieve several things at wire speed.
It can also load files from our file system using the @load command and there are several plugins developed by third party folks.
For Loop
Here is an example of a for loop.
event zeek_init() { for ( character in “abc” ) { print character; } }
This gives the following output.
a b c d e f g h
Switch Case
Here is a simple switch case in bro.
event zeek_init() { local x = 4; switch ( x ) { case 0: # This block only executes if x is 0. print “case 0”; break; case 1, 2, 3: # This block executes if any of the case labels match. print “case 1, 2, 3”; break; case 4: print “case 4 and …”; # Block ending in the “fallthrough” also execute subsequent case. fallthrough; case 5: # This block may execute if x is 4 or 5. print “case 5”; break; default: # This block executed if no other case matches. print “default case”; break; } }
Here is the output of the above file:
7 default case
Events example using bro
Here is a simple event demo. It is quite important to master it since bro works almost entirely using the events subsystem.
global myevent: event(s: string); global n = 0; event myevent(s: string) &priority = -10 { ++n; } event myevent(s: string) &priority = 10 { print “myevent”, s, n; } event bro_init() { print “bro_init()”; event myevent(“What is up”); schedule 5 sec { myevent(“tata”) }; } event bro_done() { print “bro_done()”; }
Here is the output:
bro_init() myevent, What is up, 0 myevent, tata, 1 bro_done()
The fundamentals are always important to master when learning new tools. In the next blog, we will go more in-depth. Think you can master these concepts before our next blog?
Did you enjoy this content? Follow our linkedin page!