Time
1 hour 24 minutes
Difficulty
Beginner
CEU/CPE
1

Video Description

In this segment we dive a little deeper into Zeek's programming language and highlight some of its core functionality through its components including directives, declarations and types. These components each play specific roles in the language and make many of Zeek's network analysis features a reality. Through the use of live examples, we'll illustrate where and why these components are used in Zeek script.

Video Transcription

00:00
in this next section will review three important components of rose programming language, directives, declarations and types.
00:08
The first language component I want to discuss is the directive. Directives and row determine what bro script is to be loaded and executed.
00:17
Directives Air used to satisfy script dependencies and constrain script execution to certain conditions or even specific cluster notes.
00:26
Declarations on the other hand controlled type invariable definition as well as accessibility based on scope.
00:33
I'll describe declarations in scope in more detail in the coming slot.
00:37
Row also includes many other types that are common to other programming languages
00:42
like strings, imagers, doubles and container types like tables.
00:47
Tables in bro are similar to dictionaries and python,
00:50
and we'll find many other similarities in these components.
00:54
However, Bro Specialization is in network traffic analysis, and this is what sets it apart from other languages.
01:00
For that purpose, Bro defines domain specific types like I P's, Sub Nets and Ports.
01:07
As we discussed in the previous section, Bro's event based programming model helps translate real world traffic analysis events to events occurring in bro
01:15
features and functionality in the language like its domain. Specific types provide programming constructs that make it ideal for describing network communications.
01:26
Now let's talk about directives.
01:29
The bro scripting language includes what are known as directives.
01:32
Directives affect what scripts are loaded and what lines of script code are executed
01:37
without directives. Load in particular. Nothing else would happen in bro.
01:42
The first directive I want to mention is dirt
01:45
their act something like an environment variable in shell scripting. It reflects the current working directory. The script is sitting in
01:51
like Durr. File name reflects the name of the script itself. These directives can be very helpful in a variety of ways as they provide information about where the script resides. On the file system
02:01
Load is a special directive, and as I mentioned a minute ago, it's critical to making things happen In Bro,
02:07
Load specifies a script or module directory. The script interpreters should load and execute
02:14
load statements are executed immediately, which is why they're also used to satisfy a script dependencies.
02:20
If your script uses a function or variable defined in another module,
02:23
you should include an appropriate load statement to make sure that module is loaded and available.
02:30
Load cigs is a little different. This directive tells Road read and interpret of file in the format defined by Bro's signature frame, where
02:38
this format is similar. In concept of snort rules, however, a signature match results in the execution of an event
02:44
and its handlers not necessarily in the generation of an alert.
02:47
Finally, the if in end. If directives.
02:51
These were special directives that determine what lines of script code will be executed
02:54
if allows you to specify a logical test that determines that the lines of code that follow
03:00
up to the end if directive should be run.
03:02
This is a powerful feature and used extensively to make bro scripts. Cluster aware,
03:07
that is, they create blocks of script code that will only be run on specific cluster notes as determined by the supply test.
03:16
Now let's talk about declarations.
03:20
Declarations were used to create type instances and variables, as well as determined the scope of identifiers and bro script.
03:27
Variable declarations can occur before the variable is actually initialized or used
03:31
the 1st 2 declarations air used to declare name space and manage what is accessible outside of it from other scripts.
03:38
The module declaration keyword specifies the name space for the script.
03:43
Every declaration that occurs after it until the next module keyword
03:46
belongs to the specified name space.
03:50
The export key word is used to define a block of other declarations that are made available to other scripts.
03:55
Within the export block, you will often find Global and Const declarations.
04:00
The global key word is used to mark variables and user to find types globally accessible.
04:05
Constance can be redefined but cannot be modified after their initialized.
04:11
They remain constant throughout the lifetime of the bro process.
04:15
The type declaration is used to specify user to find types. An important takeaway is that tight Declaration is most commonly used to create records and e numbs
04:25
records and Denham's Air used widely and bro scripting in particular by the logging framework
04:30
Read off is a declaration that is widely used to tune and tweak Existing bro scripts.
04:34
Read F declarations modify a global variable or constant that was declared with the read of attributes.
04:42
By making certain variables globally accessible and redefine, Herbal
04:46
bro scripts can expose customization options to bro users without requiring that they modify scripts directly.
04:53
This is great for turning features on and off, setting options and providing additional metadata to the script.
04:59
There are a few other declaration types that I'll only briefly mention here They are functions, events and hooks.
05:04
In the previous section, I described the differences between declaration and in vocation as it relates to events, and the same principles apply to both hooks and functions.
05:15
We'll discuss this more in a few slots.
05:16
Now let's take a look at some of rose and non execute herbal types.
05:21
Bro was like many other programming languages for its support of common non excludable types.
05:27
Specifically, Bro makes three different America types available. Count Int and double
05:32
count and end are very similar. In fact, the only perceptible differences that in't is signed or supports negative and positive values.
05:42
Count, on the other hand, can only be positive
05:45
both in an account support. The same mathematical operations
05:48
double is a special numerical type that is for representing double precision floating point numbers. Doubles can also be positive or negative, and light count and int
05:58
can be expressed in Hexi decimal format.
06:00
All of the numeric type support a variety of arithmetic operators such as addition, subtraction, multiplication division and Modelo
06:10
liked in America types. The string type is another very commonly used type in bro.
06:15
Strings are enclosed in double quotes and contain a string of bites that represent text or can be used to represent arbitrary binary data.
06:23
Strings can be can captain ated compared, and there are numerous built in functions for transforming and working with strings and useful ways.
06:31
String types also support a variety of built in operators such as relational and equality tests,
06:38
length operators in sub string extraction.
06:42
I've included a link to more information about built in string functions in the resource is section
06:47
rose. Regular expression capabilities are implemented by the pattern type
06:53
patterns are declared its Constance and that they don't change after their initialized.
06:57
They provide an extensive syntax for representing textual data and are used throughout bro for operations that require fast text searching.
07:05
Other languages also have a way of representing true or false, typically as a result of a logical test of some kind
07:14
and bro, the true or false type is called a bull
07:16
bull represents. True as a Capital T and false as a capital. F.
07:23
Bro also shares the notion of container types with other programming languages.
07:28
Container types are specifically intended for storing data.
07:30
Available. Container types include vectors, sets, tables and records
07:35
Tables map one set of values the indices to another. The yield
07:41
indices can be one of the many not excusable types, with the exception of things like patterns and other containers. The values air yields, on the other hand, have less restrictions.
07:50
In fact, a field in a table can be another table, allowing for the representation of very complex, multi dimensional data structures.
07:59
Table support indexing with the double bracket operator and membership tests with Ian and not in operators.
08:07
Tables Air used throughout Bro and are one of the main mechanisms that make tracking network activity and protocol usage across multiple connections. Possible
08:15
sets are similar to tables, but they're indices did not have yield values. In essence, this makes them a list of unique things, and they could be very useful in Bro script for that reason. For example, a second be used to keep a running list of unique your l's
08:30
or I P addresses or I P. Import pairings
08:33
like tables, set support a variety of attributes that affect how long an element will remain in the container.
08:39
We'll discuss attributes a little more in the next segment.
08:41
Vectors air similar to a raise or list and other languages there and ordered list of things.
08:48
If you want to access an element of the list, you use the double bracket operators to specify the position of the element in the list. The position of the first element is always zero in each into sea increments by one up from there. I've discussed records a few times already. There user defined type that is a collection of values.
09:07
Each value has a name and a type, and types can be different.
09:11
Records are another foundational component of the language and used extensively for representing an instance of something a connection. For example,
09:18
in the prologue segment, we saw a few of the ways records can be constructed after their initialized. A record instances Fields can be accessed using the dollar sign Operator
09:28
Infield existence can be tested using the question mark Dollar Sign operator.
09:33
The next type category I want to mention are the network types
09:35
these air part of what makes bro domain specific, as there used to describe network traffic,
09:41
the port type is a representation of the TCP, or UDP. port number.
09:46
In the case of ICMP,
09:48
the source port is equal to the ICMP message type in the destination port. The ICMP message coat
09:54
ports are written as an unsigned manager, followed by a string that designates the transport protocol. TCP UDP or ICMP
10:03
Adder in Summit are also special network types that are used to represent I P addresses and sub nets, respectively.
10:09
Both I P V four and V six addresses are supported and an adder can be tested for membership in a sub net By using the in operator, this is very useful functionality that will see again in an upcoming example.
10:22
Finally, there are two types specifically for describing time.
10:26
The first is the time type. This is a positive double that represents the absolute time. The interval type represents the relative time between two consecutive time. Value
10:35
Time is critical in network traffic analysis, which is why the time type is used to record the occurrence of each network event written to Abreu Log.
10:43
Now let's take a look at some of bro's execute herbal types
10:46
of mention. Bro's executed all types several times throughout this course. Each of these types is both declared and invoked these air two distinct operations, and it's useful to have a strong understanding of the difference. Functions and bro is similar to functions and other languages. They are usually given a name,
11:03
define some black of code, made up of statements and operators, and optionally return of value. When they're invoked,
11:09
functions are invoked using the functions name, followed by any required arguments.
11:15
One invoked functions are executed immediately. That is, they're not cute and do not have a priority. You'll see functions used throughout bro to make script code accessible and reusable. This is a very common and useful practice and programming
11:28
event. Handlers are similar to functions. However, they do not support return values and they are cute when invoked. As I mentioned in the previous segment, event handlers are cute in an order of priority, which is specified when they're declared event handler. Bodies can also contain the event and scheduled statements which result in the execution of other handlers
11:48
or in some cases, the handler there contained it.
11:50
This feature could be used to create an event loop where Handler is executed, then scheduled itself to be run again on some interval.
11:58
The final excusable type is a hook
12:01
hooks or more like a blend of functions and events.
12:05
They're excusable blocks of code, with an optional predefined set of arguments.
12:09
Ho Cantler's are assigned a priority, which determines their execution order,
12:13
but they're executed immediately, not scheduled.
12:18
Unique attribute of hook handlers. They can prevent the execution of lower priority handlers by issuing the brakes Statement.
12:24
Hooks have a single built in return type, a bull that signifies whether or not all of the handlers ran true or if only some are. None of the handlers ran false.
12:35
Now let's just got some of those other statements and operators.
12:39
I've mentioned several operators along the way that allowed for testing, interacting with and manipulating bro's built in types.
12:46
Now let's review a couple of operators that I haven't mentioned up to this point.
12:50
The first are logical operators. That is, they represent the logical and or and not
12:56
thes operators are often used in conjunction with an if statement,
13:01
you can use combinations of these operators to build out very complex conditions in your bro. Script
13:07
assignment operators set one value equal toe another or the addition to or subtraction from one value of another
13:15
assignment operators have found everywhere and bro, especially in places where variables are being initialized, where values assigned to record fields.
13:22
Membership tests are performed with the inn and not in operators.
13:28
You could be used with sets and tables to check for the presence of a value.
13:33
Membership test can also be used to check a sub net for the presence of an adder.
13:37
This is incredibly useful functionality, and something broke or relies heavily upon
13:43
statements and Bro is similar to commands. They instruct the script interpreter to perform some action.
13:48
Local declares a local variable inside of an executed will type
13:52
ad and elite are used for managing elements in a container.
13:56
Print will print the provided argument to standard out, which is very useful for testing and getting to know the language
14:03
for a while next and break our all statements that really toe loops.
14:07
The four and wild statements are used to create a loop,
14:11
and the next and break statements caused the loop to continue to the next generation or exit, respectively, for making a synchronous calls like issuing Olynyk C L. A command and waiting for the output Bro provides the wind statement return is a special statement used to exit from the body of a function *** event.
14:28
Return statements used in a function body can yield a value of a predefined type.
14:33
The return value of a function is actually the result of the expression to the right of the return statement.
14:39
The last two statements I'll mention here are event and schedule. Both are used to execute event handlers.
14:46
Event statement cues The matching event handlers for execution in their defined priority
14:50
schedule does the same thing except at a specified interval.
14:54
You've heard me say when event handlers are executed many times throughout this course. And this is why,
15:00
when an event is triggered, generated or executed inside of bro script, it is done with one of these two statements
15:07
now in summary review some of the key points discussed and previous slides
15:11
In this section, I provided a high level overview of many of the core concepts of Bro's programming language.
15:16
First, we discuss directives.
15:18
Directives are critical to the execution of Bro script as they determine which scripts get loaded in which lines of code get executed.
15:26
All things performed by the script, interpreters start with the load directive.
15:31
Next, I described several Bro's declarations, which are used to define Create an Initialized Things in Bro.
15:37
You'll use the Global and con Stoeckl orations to create exported variables and Constance
15:41
in the Read F Declaration for replacing or modifying variables defined by other scripts.
15:48
Declarations like Module on Export are used in conjunction with each other in Crete and manage what variables are accessible outside of a script.
15:56
We then discuss some of Bro's types.
15:58
In particular, it's non executed all types.
16:02
I described types common to many other programming languages, like numeric types, strings and regular expressions.
16:07
I also describe the types that make bro domain specific, such as the Port Adder and Sub Net type.
16:15
Bro's executed all types provide a way to get things done in the language.
16:18
We discussed events extensively throughout this course, and there they are only one of three excusable types, and bro
16:26
functions are excusable code blocks that are immediately executed when invoked
16:30
and optionally return a value of a predefined type.
16:33
Pokes are similar and concept of both events and functions, and are used in cases where neither of these types meet the specific needs of the situation.
16:42
Finally, we briefly discussed several of rose operators and statements.
16:48
These are foundational components of the language
16:49
as they are. What? Tell the script interpreter What to do?
16:52
We've seen many examples of operators and statements, and you, so far in the next and final section will revisit, thes and use some customization toe add functionality to our previously defined script.

Up Next

Intro to Zeek Scripting with Bricata

The goal of this course is to provide you with an introduction to Zeek (formerly Bro) the application and the programming language. While the logs Zeek produces natively can be extremely useful, its full value is realized through its scripting interface.

Instructed By

Instructor Profile Image
Bricata
Instructor
Instructor Profile Image
Adam Pumphrey
CEO and Principal Consultant at Nimbus LLC
Instructor