Time
1 hour 24 minutes
Difficulty
Beginner
CEU/CPE
1

Video Description

In this segment we cover one of Zeek's most central concepts, the event. We discuss how events in Zeek are analogous to human network traffic analysis activities and describe how Zeek provides access to network traffic artifacts through the use of event handlers. Finally, we review several of Zeek's built-in events and discuss how they can be handled to perform various traffic analsyis tasks.

Video Transcription

00:00
in this next section, I'm going to discuss one of Bro's central concepts, the event
00:06
in bro like many programming languages, Actions Air carried out When something occurs
00:11
and Breaux's case that something is an event,
00:14
you can think of events in bro like events in real life, they represent a thing that happened or is happening
00:21
in real life. A traffic analyst reconstructs a TCP stream from a pea cap
00:25
by tracing the originating sin, responding Cenac in the final act of the three way handshake.
00:32
When Bro analyzes that same pea cap and reconstructs the three way handshake,
00:37
it executes events that signify where in the reconstruction process it iss.
00:42
It will execute an event when the first sentence scene,
00:45
when the connection is established. And so
00:47
bro actually represents TCP, UDP and ICMP Communications. This way,
00:53
many of Rose Protocol analyzers execute events throughout their traffic analysis life cycle as well
01:00
broke or makes many events globally accessible for handling that could be used to satisfy a wide variety of use cases.
01:07
In fact, Bro's Base contains 51 individual bro scripts,
01:11
26 frameworks in 21 protocol analyzers.
01:15
In total, they declare 119 globally accessible events, which provides extensive functionality and capabilities in network traffic analysis,
01:25
I'll provide a link in the resource is section tomb or information about pros built in events.
01:32
Events could be executed from any of bro's excusable types.
01:36
When they are, they're past the required arguments. If there were any defined.
01:41
Handlers are blocks of code that are executed every time an event is executed.
01:46
Handlers joined a queue in order of priority,
01:49
and that priority is determined by the priority attributes that has specified when the handler is declared.
01:55
If no priority attributes is specified,
01:59
the handler assumes a default priority of zero,
02:04
as mentioned before broke or executes many events. It also defines numerous event handlers for its own built in events.
02:10
Many of Bro's protocol analyzers define handlers for core events, and these do the dissection analysis and Richmond and transformation task that take raw packets and turn them in the logs that broz known for.
02:23
Along the way, event handlers declared by non core policy scripts perform a variety of other analysis tasks like capture measurements for statistics, store traffic artifacts or evaluate protocol fields for specific patterns or attributes,
02:38
and the next slide will take a closer look at how handlers interact with events through event cues.
02:46
Now let's step into this from a different perspective.
02:49
For the purposes of this discussion, let's say that this box represents Bro's runtime environment.
02:54
The process starts, does some low level set up and reads and interprets any scripts that air specified in broke. Or
03:01
many of these core scripts declare events.
03:05
The declaration of events results in the creation of event cues within the main bro process.
03:10
It can help to think of these. Choose as a data pipeline where you can imagine events entering on one end and exiting on the other.
03:17
Scripts defined event handlers that attached to this pipeline
03:22
and work with the record instances in the events. As they pass through,
03:25
each handler gets access to an event and its record instance once and only once,
03:31
Bruce script interpreter executes non core scripts and policies. Last
03:36
new scripts can also declare events which results in the creation of an event cue in the court process.
03:42
Scripts executed by the interpreter not only declare in trigger events, they define handlers, too.
03:47
Handlers are a black of code that gets executed any time an event is executed.
03:53
The order in which handlers are executed is determined by the priority attributes.
03:58
The attribute is set when an event handler is declared in bro script
04:01
as the packets of process by broke or the event engine inspects the packet headers and determines if the new packet is related to an existing connection or one. It is already tracking when that determination is made broke or generates events relevant to the part of the UDP TCP, or ICMP, exchange, that is currently taking place.
04:21
When an event is executed, each of its handlers is executed in order of priority.
04:27
The priority is determined based on a range of imagers where higher positive imagers represent higher priority and lower negative integers are lower priority.
04:38
Each event handler does some work with the arguments contained in the event.
04:42
Those arguments could be a record type
04:44
and or any combination of Bro's other non execute herbal types.
04:48
The handler does some work with the arguments and actually executes other events.
04:53
Those events are passed through event cues, and the process continues until each handler for every triggered event has been executed.
05:01
Now let's talk about the difference between invocation and declaration with regard to events.
05:08
When you see the word event in bro script, it could be in a couple different context. This could be confusing at first, and it's helpful to understand the differences. Early on,
05:16
events in their handlers are referenced in to general ways, and Bro Script declaration and In Vocation
05:24
declaration is required. Invocation is optional.
05:28
Typically, events in Brewer declared as global variables inside of an export block.
05:33
In this declaration statement, the events arguments are also defined.
05:38
An example of this global variable declaration is shown here
05:42
the key word global, followed by the name of the new event,
05:45
followed by the type specifications in this case event,
05:48
followed by the list of names, arguments which is contained inside of these parentheses.
05:55
Events do not require arguments, and there can also be multiple arguments of varying types.
06:00
Each argument is assigned a name and it's type specified.
06:02
In many cases, an event declaration will include a record type as an argument, such as in the example here, the argument is the info record defined by the alerts module.
06:13
Passing record instances between event handlers is a common practice for sharing and working with Connection State and Bro
06:19
event handlers are declared within the main body of the script. In other words, they're not available to other scripts.
06:26
A Handler declaration will specify the event name in arguments list that match the event declaration,
06:32
as shown in the second example here, The handler's name is the same as the event alert underscore triggered,
06:40
and the list of arguments is also exactly the same as the event declaration.
06:45
A large portion of Bro's Execute herbal code is defined within event handlers.
06:48
Handlers perform a multitude of analysis task, including the cause of the logging frameworks right function that rights record instances to disc in the form of log entries.
06:59
Invocation occurs when bro events are executed within an executed will. Type like an event handler at this point, broke. Use all of the declared handlers for execution in the define priority order and passes them each the event arguments, if any, were declared.
07:14
I understand the difference between declaration and in vocation can be difficult, so I suggest you take a look at some of the scripts included in bro source and other resources available to get more familiar.
07:26
I mentioned the Bro, innit. event several times during the prologue segment
07:30
Ruin. That is what can be referred to as a bro process event, and it's one of two I want to mention now.
07:36
Rohan. It is executed once every time the bro process starts up, and it's used for things like declaring Constance, setting up log streams and filters as we discussed before, as well as configuring inputs like threat Intel feeds.
07:49
Conversely, Brogan is executed. Every time a bro process shuts down,
07:54
you might not find much need for bro Done. Initially, it is a valuable event for cleaning up state information being maintained by your scripts or preserving data to desk before it's cleared out of bro's memory.
08:07
Now let's take a look at some of Bro's more commonly used events. The connection state events,
08:13
the vast majority of events generated by Bro, our Connection state events.
08:16
The first of these I want to mention, is the new connection event.
08:20
As you might expect, this is executed every time RO begins tracking a new connection. That is when Bro sees the first packet of a new connection.
08:28
At this point in the tracking process, Bro knows very little other than the layer three and layer four details.
08:35
The connection established event is executed when Bro sees the sin AC in response to the originating sin of a TCP connection.
08:43
This doesn't signify the completion of the TCP three way handshake,
08:48
but at this point, Bro begins tracking the connection and assigns a day. You it a unique identifier
08:54
connection. State Remove events are triggered when Bro has completely finished its processing of a connection. Both sides have closed the session or the activity time out for the protocol has expired.
09:05
At this point, Bro has learned everything it can know about a connection.
09:09
All of it's protocol analyzers have finished running, and Bro was about to remove the connection from memory.
09:13
This is an important event to be aware of because it's executed for every connection, regardless of protocol.
09:20
You can handle this event an access. All of the information Bro gathered about a connection
09:24
in a single record, which is very convenient.
09:28
As I mentioned, Bro also strives to make its handling of UDP look and feel like its handling of TCP,
09:35
and this is apparent in the U. T. P Session Done event
09:37
for protocol's like D. N s NTP Net Bios and CeCe Log.
09:43
Bro executes these events when it has seen the request and Response sides of UDP transaction or the UDP activity timer has expired.
09:52
Now let's take a closer look at the connection. State Remove event.
09:56
The Connection State remove event is triggered for every connection Bro analyzes, regardless of protocol
10:01
has shown below, this event has declared, with a single argument the connection record
10:05
and the script editor here. I've pasted a formatted instance of a live connection record.
10:11
Connection records aren't normally written to a log in this state. So for demo purposes,
10:16
I've written a small script that converts them to Jason and Prints to standard out.
10:20
As you can see here, there are many field available at the time. Connection. State Removed is executed
10:24
as you saw before. The connection record contains the I D Field, which is also a record.
10:30
The I D. Is where you find eyepiece and ports and use in the connection.
10:33
Additionally, note how bro includes an instance of the http info record in the http field.
10:41
This is where the convenience of certain events is apparent as a bro script author can work with the connection fields in http fields inside of a single event handler
10:50
Toe Access Record Field within the http record used the sub record dollar sign notation. As I've shown here,
10:58
you'll see and probably need this syntax a lot in bro script, so it's worth getting familiar with early on.
11:05
Now, let's talk about some of the log events to find my bro.
11:07
Most of Bro's protocol analyzers define a log underscore event that contains the analyzers info record as Theo. Only argument.
11:16
Unlike other events that represent the different stages of a network transaction
11:20
these air generated when protocol analyzers have completed,
11:22
we're reached the point where an event needs to be written to a long stream.
11:26
The Analyzers info record is typically the only argument passed with the log underscore event.
11:33
The info record instance contains the protocol Metadata Bro has collected up until this point.
11:39
This often occurs when a client and server exchange has completed, such as the case with http and D. N s
11:46
log underscore. Events are very useful on bro scripting and our good mechanism for performing more extensive scripting operations.
11:54
For a quick example, let's take a look at the log underscore http event
11:58
and the http info record.
12:01
We saw this before when we reviewed the http law
12:05
and bro script. We can handle the log underscore http event and have programmatic access to everything contained in that info record.
12:13
As you can see here, this includes a lot of great information and fields and values that support a variety of analysis. Task.
12:22
No, I briefly want to mention Bro's other protocol analyzers.
12:24
I've mentioned Rose http analyzer a lot because it's one of the most commonly sought after by New Bro. Users
12:31
broken analyze many other application layer protocols, however, and all of the analyzers shown here declared globally accessible events.
12:39
One of the first steps you'll take when defining a new bro script is to see if bro supports the protocol you want to work with.
12:46
Next. Take a look at the events generated by that analyzer.
12:50
You can find these in a few places. For instance, this is a list of protocol analyzer event declaration files.
12:56
These are big ifs or built in function files,
13:00
and they're defined by each analyzer.
13:03
They contain. The events relevant the inspection of each of the listed protocols,
13:07
alternatively, a protocol analyzers log. Underscore event is typically defined in that analyzers main dot bro script file.
13:16
You can find this in the directory path of the analyzer itself.
13:20
When you're reviewing a bro Modules contents on the documentation website.
13:24
Take a look at the navigation menus on the right hand side.
13:28
From here, you can jump directly to the event section.
13:31
As a bro script author, you can define event handlers for any of these events, giving you access to an enormous amount of protocol. Instance. Information
13:39
exposing protocol analysis results in this way is part of what makes bro scripts so extensible and attractive for ongoing analysis as well as incident response.
13:50
Now let's take a look at some of bro's file analysis events.
13:54
When Bro's Files framework is enabled, events are also generated during the various phases of the file analysis process.
14:01
This isn't functionality were spending a lot of time one than this course, but it's definitely good to be aware of.
14:07
The design of the files framework is consistent with the design of Rose Connection handling in that events are triggered as analysis progresses and they're handled in the very same way.
14:16
For instance, Bro declares a file new event that has executed whenever it determines a new file analysis is underway.
14:24
File sniff, on the other hand, is executed. One bro has performed some analysis of the first chunk of the file,
14:31
but a fault. That chunk is 4000 and 96 bites.
14:33
At this point, Bro is determined the files type and applied any specified analyzers.
14:39
Another consistency with Bro's connection handling, is the files frameworks file State Remove event, which is triggered every time bro completes analysis of a file.
14:48
At this point, all hashing an extraction operations have completed
14:52
handlers or the file state Remove event can access that calculated file hashes. And if the file was extracted, then do something with the file
15:01
is very helpful to remember this event for when you need to perform some external action on files extracted by bro.
15:11
In this segment, we reviewed bro events in detail.
15:13
I described how the event could be associated with real life occurrences that relates a network traffic analysis.
15:20
I also mentioned how handlers air defined and executed based on priority.
15:24
After that, I described how events in handlers are declared in invoked.
15:28
From there, we reviewed several of Bro's built in events, including process events like bro in It and Bro Done,
15:35
as well as connection oriented events like Connection State Removed.
15:39
Finally, I discussed how application protocol and file analysis events are also available for handling and bro script.
15:46
This exposes a tremendous amount of extensive bility and potential for implementing many analysis use. Cases
15:54
in the next section will introduce Bro's other types and expand on our previous examples to illustrate how and why those types were used.

Up Next

Intro to Zeek Scripting with Bricata

The goal of this course is to provide you with an introduction to Zeek (formerly Bro) the application and the programming language. While the logs Zeek produces natively can be extremely useful, its full value is realized through its scripting interface.

Instructed By

Instructor Profile Image
Bricata
Instructor
Instructor Profile Image
Adam Pumphrey
CEO and Principal Consultant at Nimbus LLC
Instructor