Skip to content

Instantly share code, notes, and snippets.

View bro-output-plugin-barnyard2-1.9-beta1.diff
diff --git a/ b/
index c820a9a..d754ed9 100644
--- a/
+++ b/
@@ -928,6 +928,43 @@ if test "x$enable_aruba" = "xyes"; then
+[ --enable-bro Enable Bro output plugin],
sethhall / gist:651616
Created Oct 28, 2010
Bro-IDS Output from syslog policy script.
View gist:651616
ts orig_h orig_p resp_h resp_p facility severity msg
1260226618.22805 44457 514 DAEMON NOTICE Dec 7 14:58:31 SEL-3620B Login: Login successful by: admin at^J
sethhall / cluster-layout.bro
Created Jul 8, 2011
Example cluster-layout.bro
View cluster-layout.bro
redef Cluster::nodes = {
["manager-1"] = [$node_type=Cluster::MANAGER, $ip=, $p=47757/tcp, $workers=set("worker-1")],
["proxy-1"] = [$node_type=Cluster::PROXY, $ip=, $p=47758/tcp, $manager="manager-1", $workers=set("worker-1")],
["worker-1"] = [$node_type=Cluster::WORKER, $ip=, $p=47759/tcp, $proxy="proxy-1", $manager="manager-1", $interface="eth1"],
["control"] = [$node_type=Cluster::CONTROL, $ip=, $p=47761/tcp],
["time-machine"] = [$node_type=Cluster::TIME_MACHINE, $ip=, $p=47762/tcp],
sethhall / gist:3248309
Created Aug 3, 2012
hello world in Bro.
View gist:3248309
event bro_init()
print "hello world!";
sethhall / gist:4005673
Created Nov 3, 2012
Example Bro HTTP API
View gist:4005673
module ActiveHTTP;
export {
## The default timeout for HTTP requests.
const default_request_timeout = 1min &redef;
## The default HTTP method/verb to use for requests.
const default_method = "GET" &redef;
type Request: record {
sethhall / gist:4221576
Created Dec 6, 2012
MS Cert Store parser
View gist:4221576
module MSCerts;
type SerializedPropertyEntry = unit {
id : uint32;
encodingType : uint32;
len : uint32;
value : bytes &length=self.len;
sethhall / gist:4952723
Created Feb 14, 2013
"tlsdate -v" output on MacOS X.8
View gist:4952723
V: tlsdate version 0.0.6
V: We were called with the following arguments:
V: validate SSL certificates host =
V: time is currently 1360847906.161771000
V: time is greater than RECENT_COMPILE_DATE
V: using TLSv1_client_method()
V: Using OpenSSL for SSL
V: opening socket to
V: certificate verification passed
V: commonName matched:
View gist:5093794
local a = Metrics::create_measurement("apps.bytes", [$measure=set(Metrics::SUM)]);
local b = Metrics::create_measurement("apps.hits", [$measure=set(Metrics::UNIQUE)]);
Metrics::create_metric([$every=break_interval, $measurements=set(a, b),
$period_finished(ts: time, metric_name: string, filter_name: string, data: Metrics::MetricTable) =
print "woo";
sethhall / lots-of-dns.bro
Created Apr 10, 2013
This is a quick script using the measurement framework in Bro to watch for too many unique DNS requests from a single host. At this point in time this code doesn't even work in git master (but it does work!).
View lots-of-dns.bro
module DNS;
export {
redef enum Notice::Type += {
## We saw a lot of unique DNS requests!
View file_analysis_test.bro
event file_windows_pe_dosstub(f: fa_file, checksum: count)
print fmt("pe header offset: %d", checksum);
event file_windows_pe_timestamp(f: fa_file, ts: time)
print fmt("timestamp! %D", ts);
print f$mime_type;