Thursday, October 20, 2016
Monday, October 3, 2016
Bro's New Package ManagerAfter a long period of being on Bro's development projects wishlist, Bro now has a working prototype of a package management tool. The idea behind it is to provide Bro users with a command-line tool, bro-pkg, that they can use to manage third-party Bro scripts and/or plugins in the form of "packages." At the same time, the project aims to provide a centralized location for anyone to share the Bro packages that they have developed, making them readily available to users of the package manager. Ahead, we'll show some examples of its basic functions and capabilities.
- bro-pkg is new and there may still be bugs.
- Packages installed via bro-pkg come with no guarantees. Anyone is free to submit packages, so don't assume that any particular package is safe to install unless you have reason to trust the author or have reviewed the package's code yourself.
Basic Usage/WorkflowYou can see the Bro Package Manager documentation for full usage/setup instructions, but here's a quick example of what using the package manager will look like.
Checking all available packages:
$ bro-pkg list all bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str). bro/broala/bro-long-connections bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation. bro/initconf/scan-NG - Clusterized scan-detection based of bro-1.5.3 scan-detection policies bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling. bro/jsiwek/bro-test-package bro/sethhall/preit-card-exposure - Detect and log credit cards. bro/sethhall/domain-tld - Bro script library for getting the effective TLD of a domain. bro/sethhall/ssn-exposure - Detect and log US Social Security numbers.
Searching for interesting packages based on keyword tags:
$ bro-pkg search file analysis bro/sethhall/credit-card-exposure - Detect and log credit cards. bro/sethhall/ssn-exposure - Detect and log US Social Security numbers.
Get more information on a package:
$ bro-pkg info credit-card-exposure "bro/sethhall/credit-card-exposure" info: versions:  package metadata (from version "master"): build_command = plugin_dir = build script_dir = scripts version = 1.1.0 index metadata: description = Detect and log credit cards. tags = file analysis, credit card, cc, dlp, data loss url = https://github.com/sethhall/credit-card-exposure
$ bro-pkg install credit-card-exposure The following packages will be INSTALLED: bro/sethhall/credit-card-exposure (master) Proceed? [Y/n] y Installed "bro/sethhall/credit-card-exposure" (master) Loaded "bro/sethhall/credit-card-exposure
Later on, you'd check if any packages have been updated:
$ bro-pkg refresh Refreshed source packages: no changes Refreshed installed packages: no new outdated packages
And if a new version of any package is available (in this case, it was not), you could upgrade to it:
$ bro-pkg upgrade All packages already up-to-date.
If you're interested in how to get your own packages listed by bro-pkg, checkout the README of the bro/packages GitHub repository.
RoadmapThe only major, planned feature to add to bro-pkg is automatic dependency analysis/resolution. e.g. packages should be able to specify a particular Bro version that they require and list other packages (and their version) that they depend on. Then, for packages that specify such dependencies bro-pkg should automatically be able to install/upgrade package dependencies if the user gives their consent.
If you have ideas/suggestions for new features or other feedback, you can find how to get in touch w/ the Bro team here.
If you find bugs, you can report them on the project's GitHub page. Patches and pull requests are also welcome.