Next: , Previous: The bro/site Directory, Up: Bro Directory and Files



A.7 The bro/logs Directory

All logs take the form

     type.hostname.start_date/time-end_date/time

The date/time stamps for each record in the files are always in UNIX (ticks since epoch) format.

type is one of the following:

alarm

Network occurrences that are determined to be of high importance will be written into the alarm file. The determination is made by the Bro policy scripts. Local site modifications can override default Bro alarms or create new ones that are site specific. Each entry contains the date/time, the alarm type, and a description of the alarm. This file is usually the "starting point" for investigation. Each alarm should be evaluated for further follow-up action.

conn

All network connections detected by Bro are recorded in this file. A connection is defined by an initial packet that attempts to set up a session and all subsequent packets that take part in the session. Initial packets that fail to set up a session are also recorded as connections and are tagged with a failure state that designates the reason for failure. Each entry contains the following data describing the connection: date/time, the duration of the connection, the local and remote ip addresses and ports, bytes transferred in each direction, the transport protocol (udp, tcp), the final state of the connection, and other information describing the connection. This file is often used in forensic analysis to determine network activity by a suspect host beyond the immediate alarm.

ftp

All transactions involving the well known ftp control port (21) are recorded into this file. Each entry is marked by an arbitrary session number, allowing full ftp control sessions to be reconstructed. Each entry contains the date/time, a session number, and ftp connection information or the specific ftp commands transferred. This file is often used to examine details of suspect ftp sessions.

http

All transaction involving the well known http ports (80, 8000, 8080) are recorded into this file. Each entry is marked by an arbitrary session number, allowing the full http session to reconstructed Each entry contains the date/time, a session number, and http connection information or the specific http commands transferred. This file is often used to examine details of suspect web sessions.

info

This file contains information concerning the operation of Bro during the time interval covered by the file. The entries will consist of the Bro version number, startup information, and Bro runtime warnings and errors. This file is helpful in troubleshooting Bro operational difficulties.

notice

Network occurrences that are determined to be of nominal importance will be written into the notice file. The determination is made by the Bro policy scripts. Local site modifications can override default Bro alarms or create new ones that are site specific. The notice files are similar to the alarm files, but of lesser importance. Each entry contains the date/time, a notice type, a notice action, the local and remote ip addresses and ports. Optionally, depending on the type of notice, an entry might contain information about user, filename, method, URL, and other messages. This file alerts to occurrences that are worth noting, but do not warrant an alarm.

signatures

This file contains information associated with specific signature matches. These matches do not necessarily correspond to all alarms or notices, only to those that are triggered by a signature. Each entry contains the date/time, a description of the signature, the local and remote ip addresses and ports, the signature id number (if available), a description of the signature trigger, a portion of the offending payload data, a count of that particular signature, and a count of the number of involved hosts. This file gives details that are helpful in evaluating if an event triggered by a signature match is a false- positive.

smtp

All transactions involving the well known smtp port (25) are recorded into this file. Each entry is marked by an arbitrary session number, allowing full smtp sessions to be reconstructed. Each entry contains the date/time, a session number, and smtp connection information or the specific smtp commands transferred. This file is often used to examine details of suspect mail sessions.

software

This file is a record of all unique host/software pairs detected by Bro during the time interval covered by the file. Each entry in the file contains the date/time, the ip address of the host, and information about the software detected. This file can be useful for cataloging network software. However, population of this file on a busy network often results in a huge number of entries. Since the relative daily usefulness of the file usually does not warrant the disk space it consumes, the software file is turned off by default. It can be turned on by <<<instructions>>>

weird

Network events that are unusual or exceptional are recorded in this file. A number of these events "shouldn't" or even "can't" happen according to accepted protocol definitions, yet they do. Each entry in the file contains the date/time, the local and remote ip addresses and ports, and a short description of the weird activity. This file is useful for detecting odd behavior that might normally "fly under the radar" and also for getting a general sense of the amount of "garbage" that is on the network.

worm

Bro's worm.bro policy detects patterns generated by specific worms and records the instance in this file. Currently, the worms detected are code red1, code red2, nimda, and slammer. Each entry in the file contains the date/time, the worm detected, and the source ip address of the worm. This file is useful for spotting hosts that have been infected with worms.

Other files in the /logs directory are:

.state

To be completed

active_log

To be completed