Bro: Security's Swiss Army Knife

Posted by Craig Jorgensen
Craig Jorgensen

A swiss army knife is a plethora of tools wrapped up into one friendly and compact system. When describing anything as a swiss army knife, we mean they have a wide range of uses, whether it be knowledge, applicability, adaptivity, or otherwise.

Bro, the leading platform for network security monitoring, is quite an exciting ecosystem of wire-speed security analyzers and triggers. It takes a unique approach to network security monitoring, meaning it takes a bit of time to get used to it.

Bro was renamed to Zeek in 2018, but many still refer to it as "Bro." For this article, we will refer to it as "Bro." This is a gentle intro to familiarizing yourself with what Bro has to offer, complete with example code.

 

Bro code sample

Here is a simple hello world using bro.

Computer keyboard with glowing codes, programming concept

 

Bro code samples

Here is a simple hello world using bro.

Event bro_init()
{
print "Hello, World!";
}

event bro_done()
{
print "Goodbye, World!";
}

This uses the simple initialize() and finish() callbacks popular in most programming languages.

The ability of bro to act on various events helps us achieve several things at wire speed.

It can also load files from our file system using the @load command and there are several plugins developed by third party folks.

 

For Loop

Here is an example of a for loop.

event zeek_init()
{
for ( character in "abc" )
{
print character;
}
}

This gives the following output.

a
b
c
d
e
f
g
h

 

Switch Case

Here is a simple switch case in bro.

event zeek_init()
{
local x = 4;

switch ( x )
{
case 0:
# This block only executes if x is 0.
print "case 0";
break;
case 1, 2, 3:
# This block executes if any of the case labels match.
print "case 1, 2, 3";
break;
case 4:
print "case 4 and ...";
# Block ending in the "fallthrough" also execute subsequent case.
fallthrough;
case 5:
# This block may execute if x is 4 or 5.
print "case 5";
break;
default:
# This block executed if no other case matches.
print "default case";
break;
}
}

Here is the output of the above file:

7
default case

 

Events example using bro

Here is a simple event demo. It is quite important to master it since bro works almost entirely using the events subsystem.

global myevent: event(s: string);

global n = 0;

event myevent(s: string) &priority = -10
{
++n;
}

event myevent(s: string) &priority = 10
{
print "myevent", s, n;
}

event bro_init()
{
print "bro_init()";
event myevent("What is up");
schedule 5 sec { myevent("tata") };
}

event bro_done()
{
print "bro_done()";
}

Here is the output:

bro_init()
myevent, What is up, 0
myevent, tata, 1
bro_done()


The fundamentals are always important to master when learning new tools. In the next blog, we will go more in-depth. Think you can master these concepts before our next blog?

 

Did you enjoy this content? Follow our linkedin page!

Looking for similar content?

Craig Jorgensen

Written by Craig Jorgensen

I'm a recent graduate from South Dakota State University with a degree in Computer Science. For me programming is both a passion and an occupation, but have been broadening my horizons as Customer Success Manager with Query.AI, where we are using Natural Language Processing to allow users to “talk to your data”.

Topics: Bro, Zeek