BroCI is a system that you can use to both test and profile Bro scripts before deployment. You can see the sample-repo for an example of how a repository would be configured to work with BroCI.
(Right now only works with bro running on same device as webserver, traffic generator, and MongoDB)
- Start up Mongod
- Run
brofiler.py- This will start up bro, collect some stats, and start putting them in DB.
- For now, let it start seeding the DB for about 10 seconds before starting server.
- Start
server/server.py- It will start listening for connections on port 80.
- Create a test git repo to perform CI on.
- It should have a
/scriptsdirectory for scripts that we are going to be testing.
- It should have a
- Put it into the field on the BroCI homepage and click "Send"
- The page will pull the git repo and load the proper scripts into bro.
- Click "Run Tests"
- This will run tcpreplay on all of the files and collect our results.
- You can view the results in finer detail by slecting the time ranges. If you select and invalid timerange the graphs won't show anything.
- Run
installon broctl after it's been freshly installed. - Change loaded scripts in local.bro
- Tcpreplay sample command on n0:
sudo tcpreplay --topspeed --loop=0 --intf1=eth2 c1_final.pcap - Convert file to be transmitted fron n0:
tcprewrite --dstipmap=0.0.0.0/0:10.1.1.3 --enet-dmac=00:04:23:b7:41:f0 --srcipmap=0.0.0.0/0:10.1.1.2 --enet-smac=00:04:23:a8:da:62 --fixcsum --infile=browse.pcap --outfile=temp1.pcap
- Logs:
/usr/local/bro/logs - Local.bro and other scripts to be used by broctl are stored in:
/usr/local/bro/share/bro/site - Store actual broscript ref'd by local.bro in:
/usr/local/bro/share/bro/policy/misc - Change node config in:
/usr/local/bro/etc/
The profiler module (profiler.bro) is stored in /usr/local/bro/share/bro/site. There should be an entry in local.bro for it with the line @load profiler.bro.
A log file only appears when someone calls it with the log_event(name) function.