Track2Agenda: bro-intro.htm

File bro-intro.htm, 41.6 KB (added by trac, 6 years ago)
Line 
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml">
3<head>
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title></title>
8  <style type="text/css">code{white-space: pre;}</style>
9  <link href="data:text/css,%2F%2A%0A%20%20%20%20Buttondown%0A%20%20%20%20A%20Markdown%2FMultiMarkdown%2FPandoc%20HTML%20output%20CSS%20stylesheet%0A%20%20%20%20Author%3A%20Ryan%20Gray%0A%20%20%20%20Date%3A%2015%20Feb%202011%0A%20%20%20%20Revised%3A%2021%20Feb%202012%0A%20%20%20%0A%20%20%20%20General%20style%20is%20clean%2C%20with%20minimal%20re%2Ddefinition%20of%20the%20defaults%20or%20%0A%20%20%20%20overrides%20of%20user%20font%20settings%2E%20The%20body%20text%20and%20header%20styles%20are%20%0A%20%20%20%20left%20alone%20except%20title%2C%20author%20and%20date%20classes%20are%20centered%2E%20A%20Pandoc%20TOC%20%0A%20%20%20%20is%20not%20printed%2C%20URLs%20are%20printed%20after%20hyperlinks%20in%20parentheses%2E%20%0A%20%20%20%20Block%20quotes%20are%20italicized%2E%20Tables%20are%20lightly%20styled%20with%20lines%20above%20%0A%20%20%20%20and%20below%20the%20table%20and%20below%20the%20header%20with%20a%20boldface%20header%2E%20Code%20%0A%20%20%20%20blocks%20are%20line%20wrapped%2E%20%0A%20%0A%20%20%20%20All%20elements%20that%20Pandoc%20and%20MultiMarkdown%20use%20should%20be%20listed%20here%2C%20even%20%0A%20%20%20%20if%20the%20style%20is%20empty%20so%20you%20can%20easily%20add%20styling%20to%20anything%2E%0A%20%20%20%20%0A%20%20%20%20There%20are%20some%20elements%20in%20here%20for%20HTML5%20output%20of%20Pandoc%2C%20but%20I%20have%20not%20%0A%20%20%20%20gotten%20around%20to%20testing%20that%20yet%2E%0A%2A%2F%0A%20%0A%2F%2A%20NOTES%3A%0A%20%0A%20%20%20%20Stuff%20tried%20and%20failed%3A%0A%20%20%20%20%0A%20%20%20%20It%20seems%20that%20specifying%20font%2Dfamily%3Aserif%20in%20Safari%20will%20always%20use%20%0A%20%20%20%20Times%20New%20Roman%20rather%20than%20the%20user%27s%20preferences%20setting%2E%0A%20%20%20%20%0A%20%20%20%20Making%20the%20font%20size%20different%20or%20a%20fixed%20value%20for%20print%20in%20case%20the%20screen%20%0A%20%20%20%20font%20size%20is%20making%20the%20print%20font%20too%20big%3A%20Making%20font%2Dsize%20different%20for%20%0A%20%20%20%20print%20than%20for%20screen%20causes%20horizontal%20lines%20to%20disappear%20in%20math%20when%20using%20%0A%20%20%20%20MathJax%20under%20Safari%2E%0A%2A%2F%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Front%20Matter%20%2D%2D%2D%2D%20%2A%2F%0A%20%0A%2F%2A%20Pandoc%20header%20DIV%2E%20Contains%20%2Etitle%2C%20%2Eauthor%20and%20%2Edate%2E%20Comes%20before%20div%23TOC%2E%20%0A%20%20%20Only%20appears%20if%20one%20of%20those%20three%20are%20in%20the%20document%2E%0A%2A%2F%0A%20%0Adiv%23header%2C%20header%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Put%20border%20on%20bottom%2E%20Separates%20it%20from%20TOC%20or%20body%20that%20comes%20after%20it%2E%20%2A%2F%0A%20%20%20%20border%2Dbottom%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%2Etitle%20%2F%2A%20Pandoc%20title%20header%20%28h1%2Etitle%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20%7D%0A%20%0A%2Eauthor%2C%20%2Edate%20%2F%2A%20Pandoc%20author%28s%29%20and%20date%20headers%20%28h2%2Eauthor%20and%20h3%2Edate%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20Pandoc%20table%20of%20contents%20DIV%20when%20using%20the%20%2D%2Dtoc%20option%2E%0A%20%20%20NOTE%3A%20this%20doesn%27t%20support%20Pandoc%27s%20%2D%2Did%2Dprefix%20option%20for%20%23TOC%20and%20%23header%2E%20%0A%20%20%20Probably%20would%20need%20to%20use%20div%5Bid%24%3D%27TOC%27%5D%20and%20div%5Bid%24%3D%27header%27%5D%20as%20selectors%2E%0A%2A%2F%0A%20%0Adiv%23TOC%2C%20nav%23TOC%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Put%20border%20on%20bottom%20to%20separate%20it%20from%20body%2E%20%2A%2F%0A%20%20%20%20border%2Dbottom%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20div%23TOC%2C%20nav%23TOC%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20Don%27t%20display%20TOC%20in%20print%20%2A%2F%0A%20%20%20%20%20%20%20%20display%3A%20none%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Headers%20and%20sections%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Ah1%2C%20h2%2C%20h3%2C%20h4%2C%20h5%2C%20h6%0A%7B%0A%20%20%20%20font%2Dfamily%3A%20%22Helvetica%20Neue%22%2C%20Helvetica%2C%20%22Liberation%20Sans%22%2C%20Calibri%2C%20Arial%2C%20sans%2Dserif%3B%20%2F%2A%20Sans%2Dserif%20headers%20%2A%2F%0A%20%0A%20%20%20%20%2F%2A%20font%2Dfamily%3A%20%22Liberation%20Serif%22%2C%20%22Georgia%22%2C%20%22Times%20New%20Roman%22%2C%20serif%3B%20%2F%2A%20Serif%20headers%20%2A%2F%0A%20%0A%20%20%20%20page%2Dbreak%2Dafter%3A%20avoid%3B%20%2F%2A%20Firefox%2C%20Chrome%2C%20and%20Safari%20do%20not%20support%20the%20property%20value%20%22avoid%22%20%2A%2F%0A%7D%0A%20%0A%2F%2A%20Pandoc%20with%20%2D%2Dsection%2Ddivs%20option%20%2A%2F%0A%20%0Adiv%20div%2C%20section%20section%20%2F%2A%20Nested%20sections%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dleft%3A%202em%3B%20%2F%2A%20This%20will%20increasingly%20indent%20nested%20header%20sections%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Ap%20%7B%7D%0A%20%0Ablockquote%0A%20%20%20%20%7B%20%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20%7D%0A%20%0Ali%20%2F%2A%20All%20list%20items%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ali%20%3E%20p%20%2F%2A%20Loosely%20spaced%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dtop%3A%201em%3B%20%2F%2A%20IE%3A%20lack%20of%20space%20above%20a%20%3Cli%3E%20when%20the%20item%20is%20inside%20a%20%3Cp%3E%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Aul%20%2F%2A%20Whole%20unordered%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aul%20li%20%2F%2A%20Unordered%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aol%20%2F%2A%20Whole%20ordered%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Aol%20li%20%2F%2A%20Ordered%20list%20item%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ahr%20%7B%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Some%20span%20elements%20%2D%2D%2D%20%2A%2F%0A%20%0Asub%20%2F%2A%20Subscripts%2E%20Pandoc%3A%20H%7E2%7EO%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Asup%20%2F%2A%20Superscripts%2E%20Pandoc%3A%20The%202%5End%5E%20try%2E%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aem%20%2F%2A%20Emphasis%2E%20Markdown%3A%20%2Aemphasis%2A%20or%20%5Femphasis%5F%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aem%20%3E%20em%20%2F%2A%20Emphasis%20within%20emphasis%3A%20%2AThis%20is%20all%20%2Aemphasized%2A%20except%20that%2A%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dstyle%3A%20normal%3B%0A%20%20%20%20%7D%0A%20%0Astrong%20%2F%2A%20Markdown%20%2A%2Astrong%2A%2A%20or%20%5F%5Fstrong%5F%5F%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Links%20%28anchors%29%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aa%20%2F%2A%20All%20links%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Keep%20links%20clean%2E%20On%20screen%2C%20they%20are%20colored%3B%20in%20print%2C%20they%20do%20nothing%20anyway%2E%20%2A%2F%0A%20%20%20%20text%2Ddecoration%3A%20none%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20screen%0A%20%20%20%20%7B%0A%20%20%20%20a%3Ahover%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20On%20hover%2C%20we%20indicate%20a%20bit%20more%20that%20it%20is%20a%20link%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20text%2Ddecoration%3A%20underline%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20a%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20In%20print%2C%20a%20colored%20link%20is%20useless%2C%20so%20un%2Dstyle%20it%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20color%3A%20black%3B%0A%20%20%20%20%20%20%20%20background%3A%20transparent%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%0A%20%20%20%20a%5Bhref%5E%3D%22http%3A%2F%2F%22%5D%3Aafter%2C%20a%5Bhref%5E%3D%22https%3A%2F%2F%22%5D%3Aafter%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20However%2C%20links%20that%20go%20somewhere%20else%2C%20might%20be%20useful%20to%20the%20reader%2C%0A%20%20%20%20%20%20%20%20%20%20%20so%20for%20http%20and%20https%20links%2C%20print%20the%20URL%20after%20what%20was%20the%20link%20%0A%20%20%20%20%20%20%20%20%20%20%20text%20in%20parens%0A%20%20%20%20%20%20%20%20%2A%2F%0A%20%20%20%20%20%20%20%20content%3A%20%22%20%28%22%20attr%28href%29%20%22%29%20%22%3B%0A%20%20%20%20%20%20%20%20font%2Dsize%3A%2090%25%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Images%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aimg%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Let%20it%20be%20inline%20left%2Fright%20where%20it%20wants%20to%20be%2C%20but%20verticality%20make%20%0A%20%20%20%20%20%20%20it%20in%20the%20middle%20to%20look%20nicer%2C%20but%20opinions%20differ%2C%20and%20if%20in%20a%20multi%2Dline%20%0A%20%20%20%20%20%20%20paragraph%2C%20it%20might%20not%20be%20so%20great%2E%20%0A%20%20%20%20%2A%2F%0A%20%20%20%20vertical%2Dalign%3A%20middle%3B%0A%20%20%20%20%7D%0A%20%0Adiv%2Efigure%20%2F%2A%20Pandoc%20figure%2Dstyle%20image%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Center%20the%20image%20and%20caption%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20auto%3B%0A%20%20%20%20margin%2Dright%3A%20auto%3B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20%7D%0A%20%0Ap%2Ecaption%20%2F%2A%20Pandoc%20figure%2Dstyle%20caption%20within%20div%2Efigure%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Inherits%20div%2Efigure%20props%20by%20default%20%2A%2F%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Code%20blocks%20and%20spans%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Apre%2C%20code%20%0A%20%20%20%20%7B%0A%20%20%20%20background%2Dcolor%3A%20%23fdf7ee%3B%0A%20%20%20%20%2F%2A%20BEGIN%20word%20wrap%20%2A%2F%0A%20%20%20%20%2F%2A%20Need%20all%20the%20following%20to%20word%20wrap%20instead%20of%20scroll%20box%20%2A%2F%0A%20%20%20%20%2F%2A%20This%20will%20override%20the%20overflow%3Aauto%20if%20present%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20pre%2Dwrap%3B%20%2F%2A%20css%2D3%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Dmoz%2Dpre%2Dwrap%20%21important%3B%20%2F%2A%20Mozilla%2C%20since%201999%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Dpre%2Dwrap%3B%20%2F%2A%20Opera%204%2D6%20%2A%2F%0A%20%20%20%20white%2Dspace%3A%20%2Do%2Dpre%2Dwrap%3B%20%2F%2A%20Opera%207%20%2A%2F%0A%20%20%20%20word%2Dwrap%3A%20break%2Dword%3B%20%2F%2A%20Internet%20Explorer%205%2E5%2B%20%2A%2F%0A%20%20%20%20%2F%2A%20END%20word%20wrap%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Apre%20%2F%2A%20Code%20blocks%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Distinguish%20pre%20blocks%20from%20other%20text%20by%20more%20than%20the%20font%20with%20a%20background%20tint%2E%20%2A%2F%0A%20%20%20%20padding%3A%200%2E5em%3B%20%2F%2A%20Since%20we%20have%20a%20background%20color%20%2A%2F%0A%20%20%20%20border%2Dradius%3A%205px%3B%20%2F%2A%20Softens%20it%20%2A%2F%0A%20%20%20%20%2F%2A%20Give%20it%20a%20some%20definition%20%2A%2F%0A%20%20%20%20border%3A%201px%20solid%20%23aaa%3B%0A%20%20%20%20%2F%2A%20Set%20it%20off%20left%20and%20right%2C%20seems%20to%20look%20a%20bit%20nicer%20when%20we%20have%20a%20background%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20%200%2E5em%3B%0A%20%20%20%20margin%2Dright%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0A%40media%20screen%0A%20%20%20%20%7B%0A%20%20%20%20pre%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20On%20screen%2C%20use%20an%20auto%20scroll%20box%20for%20long%20lines%2C%20unless%20word%2Dwrap%20is%20enabled%20%2A%2F%0A%20%20%20%20%20%20%20%20white%2Dspace%3A%20pre%3B%0A%20%20%20%20%20%20%20%20overflow%3A%20auto%3B%0A%20%20%20%20%20%20%20%20%2F%2A%20Dotted%20looks%20better%20on%20screen%20and%20solid%20seems%20to%20print%20better%2E%20%2A%2F%0A%20%20%20%20%20%20%20%20border%3A%201px%20dotted%20%23777%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%0Acode%20%2F%2A%20All%20inline%20code%20spans%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Ap%20%3E%20code%2C%20li%20%3E%20code%20%2F%2A%20Code%20spans%20in%20paragraphs%20and%20tight%20lists%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Pad%20a%20little%20from%20adjacent%20text%20%2A%2F%0A%20%20%20%20padding%2Dleft%3A%20%202px%3B%0A%20%20%20%20padding%2Dright%3A%202px%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Ali%20%3E%20p%20code%20%2F%2A%20Code%20span%20in%20a%20loose%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20We%20have%20room%20for%20some%20more%20background%20color%20above%20and%20below%20%2A%2F%0A%20%20%20%20padding%3A%202px%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Math%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aspan%2Emath%20%2F%2A%20Pandoc%20inline%20math%20default%20and%20%2D%2Djsmath%20inline%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%2F%2A%20Tried%20font%2Dstyle%3Aitalic%20here%2C%20and%20it%20messed%20up%20MathJax%20rendering%20in%20some%20browsers%2E%20Maybe%20don%27t%20mess%20with%20at%20all%2E%20%2A%2F%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Emath%20%2F%2A%20Pandoc%20%2D%2Djsmath%20display%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Aspan%2ELaTeX%20%2F%2A%20Pandoc%20%2D%2Dlatexmathml%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0Aeq%20%2F%2A%20Pandoc%20%2D%2Dgladtex%20math%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Tables%20%2D%2D%2D%2D%20%2A%2F%0A%20%0A%2F%2A%20%20A%20clean%20textbook%2Dlike%20style%20with%20horizontal%20lines%20above%20and%20below%20and%20under%20%0A%20%20%20%20the%20header%2E%20Rows%20highlight%20on%20hover%20to%20help%20scanning%20the%20table%20on%20screen%2E%0A%2A%2F%0A%20%0Atable%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dcollapse%3A%20collapse%3B%0A%20%20%20%20border%2Dspacing%3A%200%3B%20%2F%2A%20IE%206%20%2A%2F%0A%20%0A%20%20%20%20border%2Dbottom%3A%202pt%20solid%20%23000%3B%0A%20%20%20%20border%2Dtop%3A%202pt%20solid%20%23000%3B%20%2F%2A%20The%20caption%20on%20top%20will%20not%20have%20a%20bottom%2Dborder%20%2A%2F%0A%20%0A%20%20%20%20%2F%2A%20Center%20%2A%2F%0A%20%20%20%20margin%2Dleft%3A%20auto%3B%0A%20%20%20%20margin%2Dright%3A%20auto%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Athead%20%2F%2A%20Entire%20table%20header%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dbottom%3A%201pt%20solid%20%23000%3B%0A%20%20%20%20background%2Dcolor%3A%20%23eee%3B%20%2F%2A%20Does%20this%20BG%20print%20well%3F%20%2A%2F%0A%20%20%20%20%7D%0A%20%0Atr%2Eheader%20%2F%2A%20Each%20header%20row%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%20%0A%20%0Atbody%20%2F%2A%20Entire%20table%20%20body%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20Table%20body%20rows%20%2A%2F%0A%20%0Atr%20%20%7B%0A%20%20%20%20%7D%0Atr%2Eodd%3Ahover%2C%20tr%2Eeven%3Ahover%20%2F%2A%20Use%20%2Eodd%20and%20%2Eeven%20classes%20to%20avoid%20styling%20rows%20in%20other%20tables%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20background%2Dcolor%3A%20%23eee%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20Odd%20and%20even%20rows%20%2A%2F%0Atr%2Eodd%20%7B%7D%0Atr%2Eeven%20%7B%7D%0A%20%0Atd%2C%20th%20%2F%2A%20Table%20cells%20and%20table%20header%20cells%20%2A%2F%0A%20%20%20%20%7B%20%0A%20%20%20%20vertical%2Dalign%3A%20top%3B%20%2F%2A%20Word%20%2A%2F%0A%20%20%20%20vertical%2Dalign%3A%20baseline%3B%20%2F%2A%20Others%20%2A%2F%0A%20%20%20%20padding%2Dleft%3A%20%20%200%2E5em%3B%0A%20%20%20%20padding%2Dright%3A%20%200%2E5em%3B%0A%20%20%20%20padding%2Dtop%3A%20%20%20%200%2E2em%3B%0A%20%20%20%20padding%2Dbottom%3A%200%2E2em%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20Removes%20padding%20on%20left%20and%20right%20of%20table%20for%20a%20tight%20look%2E%20Good%20if%20thead%20has%20no%20background%20color%2A%2F%0A%2F%2A%0Atr%20td%3Alast%2Dchild%2C%20tr%20th%3Alast%2Dchild%0A%20%20%20%20%7B%0A%20%20%20%20padding%2Dright%3A%200%3B%0A%20%20%20%20%7D%0Atr%20td%3Afirst%2Dchild%2C%20tr%20th%3Afirst%2Dchild%20%0A%20%20%20%20%7B%0A%20%20%20%20padding%2Dleft%3A%200%3B%0A%20%20%20%20%7D%0A%2A%2F%0A%20%0Ath%20%2F%2A%20Table%20header%20cells%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dweight%3A%20bold%3B%20%0A%20%20%20%20%7D%0A%20%0Atfoot%20%2F%2A%20Table%20footer%20%28what%20appears%20here%20if%20caption%20is%20on%20top%3F%29%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0Acaption%20%2F%2A%20This%20is%20for%20a%20table%20caption%20tag%2C%20not%20the%20p%2Ecaption%20Pandoc%20uses%20in%20a%20div%2Efigure%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20caption%2Dside%3A%20top%3B%0A%20%20%20%20border%3A%20none%3B%0A%20%20%20%20font%2Dsize%3A%200%2E9em%3B%0A%20%20%20%20font%2Dstyle%3A%20italic%3B%0A%20%20%20%20text%2Dalign%3A%20center%3B%0A%20%20%20%20margin%2Dbottom%3A%200%2E3em%3B%20%2F%2A%20Good%20for%20when%20on%20top%20%2A%2F%0A%20%20%20%20padding%2Dbottom%3A%200%2E2em%3B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20%2D%2D%2D%2D%20Definition%20lists%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Adl%20%2F%2A%20The%20whole%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%202pt%20solid%20black%3B%0A%20%20%20%20padding%2Dtop%3A%200%2E5em%3B%0A%20%20%20%20border%2Dbottom%3A%202pt%20solid%20black%3B%0A%20%20%20%20%7D%0A%20%0Adt%20%2F%2A%20Definition%20term%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20font%2Dweight%3A%20bold%3B%0A%20%20%20%20%7D%0A%20%0Add%2Bdt%20%2F%2A%202nd%20or%20greater%20term%20in%20the%20list%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%201pt%20solid%20black%3B%0A%20%20%20%20padding%2Dtop%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%20%20%20%0Add%20%2F%2A%20A%20definition%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20margin%2Dbottom%3A%200%2E5em%3B%0A%20%20%20%20%7D%0A%20%0Add%2Bdd%20%2F%2A%202nd%20or%20greater%20definition%20of%20a%20term%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20border%2Dtop%3A%201px%20solid%20black%3B%20%2F%2A%20To%20separate%20multiple%20definitions%20%2A%2F%0A%20%20%20%20%7D%0A%20%20%20%20%0A%2F%2A%20%2D%2D%2D%2D%20Footnotes%20%2D%2D%2D%2D%20%2A%2F%0A%20%0Aa%2Efootnote%2C%20a%2EfootnoteRef%20%7B%20%2F%2A%20Pandoc%2C%20MultiMarkdown%20footnote%20links%20%2A%2F%0A%20%20%20%20font%2Dsize%3A%20small%3B%20%0A%20%20%20%20vertical%2Dalign%3A%20text%2Dtop%3B%0A%7D%0A%20%0Aa%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%2F%2A%20Pandoc%2C%20MultiMarkdown%2C%20%3F%3F%20footnote%20back%20links%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20a%5Bhref%5E%3D%22%23fnref%22%5D%2C%20a%2Ereversefootnote%20%2F%2A%20Pandoc%2C%20MultiMarkdown%20%2A%2F%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%2F%2A%20Don%27t%20display%20these%20at%20all%20in%20print%20since%20the%20arrow%20is%20only%20something%20to%20click%20on%20%2A%2F%0A%20%20%20%20%20%20%20%20display%3A%20none%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Efootnotes%20%2F%2A%20Pandoc%20footnotes%20div%20at%20end%20of%20the%20document%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%20%20%20%0Adiv%2Efootnotes%20li%5Bid%5E%3D%22fn%22%5D%20%2F%2A%20A%20footnote%20item%20within%20that%20div%20%2A%2F%0A%20%20%20%20%7B%0A%20%20%20%20%7D%0A%20%0A%2F%2A%20You%20can%20class%20stuff%20as%20%22noprint%22%20to%20not%20print%2E%20%0A%20%20%20Useful%20since%20you%20can%27t%20set%20this%20media%20conditional%20inside%20an%20HTML%20element%27s%20%0A%20%20%20style%20attribute%20%28I%20think%29%2C%20and%20you%20don%27t%20want%20to%20make%20another%20stylesheet%20that%20%0A%20%20%20imports%20this%20one%20and%20adds%20a%20class%20just%20to%20do%20this%2E%0A%2A%2F%0A%20%0A%40media%20print%0A%20%20%20%20%7B%0A%20%20%20%20%2Enoprint%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20display%3Anone%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A" rel="stylesheet" type="text/css" />
10</head>
11<body>
12<div id="TOC">
13<ul>
14<li><a href="#what-is-bro"><span class="toc-section-number">1</span> What is Bro?</a><ul>
15<li><a href="#where-does-bro-get-data"><span class="toc-section-number">1.1</span> Where does Bro get data?</a></li>
16<li><a href="#what-data-does-bro-produce"><span class="toc-section-number">1.2</span> What data does Bro Produce?</a></li>
17<li><a href="#how-is-bro-applied"><span class="toc-section-number">1.3</span> How is Bro Applied?</a></li>
18</ul></li>
19<li><a href="#installing"><span class="toc-section-number">2</span> Installing</a><ul>
20<li><a href="#tapping-your-network"><span class="toc-section-number">2.1</span> Tapping your network</a><ul>
21<li><a href="#taps"><span class="toc-section-number">2.1.1</span> Taps</a></li>
22<li><a href="#port-mirroring-span-sessions"><span class="toc-section-number">2.1.2</span> Port Mirroring / SPAN Sessions</a></li>
23<li><a href="#configuring-span-port-on-a-cisco-3750"><span class="toc-section-number">2.1.3</span> Configuring SPAN Port on a Cisco 3750</a></li>
24</ul></li>
25</ul></li>
26<li><a href="#how-does-bro-work"><span class="toc-section-number">3</span> How does Bro Work?</a><ul>
27<li><a href="#bro-cluster-vs-standalone"><span class="toc-section-number">3.1</span> Bro Cluster vs Standalone</a><ul>
28<li><a href="#bro-cluster"><span class="toc-section-number">3.1.1</span> Bro Cluster</a></li>
29<li><a href="#bro-stand-alone"><span class="toc-section-number">3.1.2</span> Bro Stand alone</a></li>
30</ul></li>
31<li><a href="#bro-cluster-architecture"><span class="toc-section-number">3.2</span> Bro Cluster Architecture</a></li>
32<li><a href="#configuring-the-cluster-architecture"><span class="toc-section-number">3.3</span> Configuring the Cluster Architecture</a></li>
33<li><a href="#bro-software-architecture"><span class="toc-section-number">3.4</span> Bro Software Architecture</a></li>
34<li><a href="#the-bro-scripting-language"><span class="toc-section-number">3.5</span> The &quot;Bro&quot; Scripting Language</a><ul>
35<li><a href="#events"><span class="toc-section-number">3.5.1</span> Events</a></li>
36<li><a href="#data-types"><span class="toc-section-number">3.5.2</span> Data Types</a></li>
37</ul></li>
38<li><a href="#extracting-information-an-event"><span class="toc-section-number">3.6</span> Extracting information an Event</a></li>
39<li><a href="#syntax-tips"><span class="toc-section-number">3.7</span> Syntax Tips</a></li>
40<li><a href="#workshop"><span class="toc-section-number">3.8</span> Workshop</a><ul>
41<li><a href="#exercise-1-exploring-bro-logs-in-splunk"><span class="toc-section-number">3.8.1</span> Exercise 1: Exploring Bro Logs in Splunk</a></li>
42<li><a href="#exercise-2-modifying-hello-script"><span class="toc-section-number">3.8.2</span> Exercise 2: Modifying &quot;hello&quot; Script</a></li>
43</ul></li>
44</ul></li>
45</ul>
46</div>
47<h1 id="what-is-bro"><span class="header-section-number">1</span> What is Bro?</h1>
48<ul>
49<li><p>Bro is an open-source network security platform that incoming packet streams into high-level events. Bro allows you to configure an array of real-time alerts, execute arbitrary programs on demand, and log data for later use.[1]</p></li>
50<li><p>Bro began within a research project at the Lawrence Berkeley National Laboratory in 1995 and moved onto an operational deployment there a year later. [1]</p></li>
51<li><p>Bro has been compared to tcpdump, wireshark, Snort, netflow, and Perl (or any other scripting language) all in one. [2]</p></li>
52</ul>
53<h2 id="where-does-bro-get-data"><span class="header-section-number">1.1</span> Where does Bro get data?</h2>
54<ul>
55<li>PCAP</li>
56<li>Tapped / SPAN'ed Network traffic</li>
57</ul>
58<h2 id="what-data-does-bro-produce"><span class="header-section-number">1.2</span> What data does Bro Produce?</h2>
59<ul>
60<li><p>Events</p>
61<pre><code> event http_header(c: connection, is_orig: bool, name: string, value: string)</code></pre></li>
62<li><p>Logs</p>
63<pre><code>1428008490.419994   CiMFm14le11UPtJhkl  10.1.1.34   57913   38.102.137.159  80  1   GET stationdata.wunderground.com    /cgi-bin/stationlookup?format=json&amp;maxage=10&amp;station=KNYNEWYO118&amp;units=english&amp;v=2.0&amp;callback=jQuery17203764660065062344_1428008136674&amp;_=1428008438624  http://www.wunderground.com/cgi-bin/findweather/hdfForecast?query=10010&amp;MR=1    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36   0   310 200OK   -   -   -   (empty) -   -   -   -   -   Fx8RKotcNrCGtMpG3   text/plain</code></pre></li>
64</ul>
65<h2 id="how-is-bro-applied"><span class="header-section-number">1.3</span> How is Bro Applied?</h2>
66<ul>
67<li>Network Forensics
68<ul>
69<li>Real-time flow analysis</li>
70<li>Pre-recorded flow and packet analysis</li>
71</ul></li>
72<li>Network File Carving
73<ul>
74<li>Extract files from network traffic streams</li>
75</ul></li>
76<li>Intrusion detection
77<ul>
78<li>IOC Matching</li>
79<li>Policy enforcement</li>
80</ul></li>
81<li>Network measurement
82<ul>
83<li>Generate statistics about network traffic patterns and usage</li>
84</ul></li>
85</ul>
86<h1 id="installing"><span class="header-section-number">2</span> Installing</h1>
87<h2 id="tapping-your-network"><span class="header-section-number">2.1</span> Tapping your network</h2>
88<ul>
89<li>Choosing where to acquire data is an important choice. Depending on where you acquire data, you will get a different perspective on your network's traffic</li>
90<li>A few things to keep in mind when deciding where to tap in your network:
91<ul>
92<li>How much traffic does the tap see?</li>
93<li>Does the tap see both ingress and egress traffic?</li>
94<li>Is there NAT in your network? Will your tap see traffic pre or post NAT?</li>
95<li>What method are you using to acquire data? Taps? SPAN?</li>
96</ul></li>
97</ul>
98<h3 id="taps"><span class="header-section-number">2.1.1</span> Taps</h3>
99<p>A network tap is a hardware device which provides a way to access the data flowing across a computer network [3]. Taps are the preferred method for acquiring network data, especially in cases when physical networks are the data source.</p>
100<h4 id="pros"><span class="header-section-number">2.1.1.1</span> Pros</h4>
101<ul>
102<li>Taps are passive, they do not alter the contents of the network traffic that you are delivering</li>
103<li>Taps do not drop packets. When acquiring data from a tap you can be confident of the integrity of the captured data.</li>
104</ul>
105<h4 id="cons"><span class="header-section-number">2.1.1.2</span> Cons</h4>
106<ul>
107<li>Physical taps do not work on virutal networks</li>
108<li>Taps are expensive</li>
109<li>Taps require infrastructure
110<ul>
111<li>Fiber</li>
112<li>Network interfaces</li>
113<li>Tap aggregators (optional)</li>
114</ul></li>
115</ul>
116<h3 id="port-mirroring-span-sessions"><span class="header-section-number">2.1.2</span> Port Mirroring / SPAN Sessions</h3>
117<ul>
118<li><p>The SPAN feature, which is sometimes called port mirroring or port monitoring, selects network traffic for analysis by a network analyzer from a network switch [4]</p></li>
119<li><p>The SPAN feature was introduced on switches because of a fundamental difference that switches have with hubs. When a hub receives a packet on one port, the hub sends out a copy of that packet on all ports except on the one where the hub received the packet. After a switch boots, it starts to build up a Layer 2 forwarding table on the basis of the source MAC address of the different packets that the switch receives. After this forwarding table is built, the switch forwards traffic that is destined for a MAC address directly to the corresponding port. [4]</p></li>
120<li><p>For example, if you want to capture Ethernet traffic that is sent by host A to host B, and both are connected to a hub, just attach a sniffer to this hub. All other ports see the traffic between hosts A and B. [4]</p></li>
121</ul>
122<h4 id="pros-1"><span class="header-section-number">2.1.2.1</span> Pros</h4>
123<ul>
124<li>Low cost - Often it can be configured on hardware you already have in your network</li>
125<li>Easy to deploy - Takes no network downtime (TAPs require network links to flow through them)</li>
126<li>Can be used on virtual networks</li>
127</ul>
128<h4 id="cons-1"><span class="header-section-number">2.1.2.2</span> Cons</h4>
129<ul>
130<li>SPANs utilize precious switch resources, prone reducing performance on your switch and dropping to dropping traffic to your analyzer
131<ul>
132<li>switches forward &quot;SPAN data with a lower priority than regular port-to-port data&quot;[5]</li>
133</ul></li>
134<li>Limited numbers of SPAN sessions per switch [6]</li>
135<li>Prone to modification of network traffic including but not limited to:
136<ul>
137<li>Modification of packet timing [5]</li>
138<li>Addition or removal of headers</li>
139</ul></li>
140</ul>
141<h3 id="configuring-span-port-on-a-cisco-3750"><span class="header-section-number">2.1.3</span> Configuring SPAN Port on a Cisco 3750</h3>
142<pre><code>conf t
143monitor session 1 source [interface | vlan] [ interface | vlan #]
144monitor session 1 destination [interface | vlan] </code></pre>
145<h1 id="how-does-bro-work"><span class="header-section-number">3</span> How does Bro Work?</h1>
146<h2 id="bro-cluster-vs-standalone"><span class="header-section-number">3.1</span> Bro Cluster vs Standalone</h2>
147<ul>
148<li>Bro can be run as a &quot;cluster&quot; or as &quot;stand alone&quot; application</li>
149<li>Bro clusters are typically used to scale the performance of Bro for real-time traffic analysis</li>
150</ul>
151<h3 id="bro-cluster"><span class="header-section-number">3.1.1</span> Bro Cluster</h3>
152<p>Bro is considered to be in &quot;cluster&quot; mode when Bro is configured to use multiple processes. * Bro clusters can only be used on real-time data acquired from a network interface * Bro clusters are most useful for flow level traffic analysis</p>
153<h3 id="bro-stand-alone"><span class="header-section-number">3.1.2</span> Bro Stand alone</h3>
154<p>Bro is considered to be in &quot;stand-alone&quot; mode when it is configured to use only one process. * &quot;Stand-alone&quot; Bro can be used on real-time data acquired from a network interface or PCAP data * When used as a standalone tool Bro can be used for flow and packet level traffic analysis</p>
155<h2 id="bro-cluster-architecture"><span class="header-section-number">3.2</span> Bro Cluster Architecture</h2>
156<p>Bro clusters consist of three components:</p>
157<ol style="list-style-type: decimal">
158<li><strong>Worker</strong> - Workers ingests network traffic from the interfaces, parse network traffic, execute Bro script and create logs.
159<ul>
160<li>Clusters can have an arbitrary number of workers</li>
161<li>There should be a single physical processor core for each worker in the cluster</li>
162</ul></li>
163<li><strong>Manager</strong> - The Manager is the component that aggregates data collected by the workers and compiles the data into a single log. The manager also handles deduplicating &quot;notice&quot; alerts.
164<ul>
165<li>Clusters have a sigle manager</li>
166<li>There should be a single physical processor core for the cluster Manager</li>
167</ul></li>
168<li><strong>Proxy</strong> - Proxies manage the syncronization of data between Bro workers.
169<ul>
170<li>Clusters can have an arbitrary number of proxies</li>
171<li>There should be 1 proxy for every 6 workers in your cluster</li>
172<li>There should be a single physical processor core for each Proxy in the cluster</li>
173</ul></li>
174</ol>
175<h2 id="configuring-the-cluster-architecture"><span class="header-section-number">3.3</span> Configuring the Cluster Architecture</h2>
176<p>The configuration file that specifies the layout of your cluster is located in: * $BRO_HOME/etc/node.cfg</p>
177<h2 id="bro-software-architecture"><span class="header-section-number">3.4</span> Bro Software Architecture</h2>
178<p>At a high level, Bro's core consists of four parts:</p>
179<ol style="list-style-type: decimal">
180<li>Packet ingest</li>
181<li>Protocol parsers</li>
182<li>Event Engine</li>
183<li>Scripting Engine</li>
184</ol>
185<h2 id="the-bro-scripting-language"><span class="header-section-number">3.5</span> The &quot;Bro&quot; Scripting Language</h2>
186<p>The &quot;Bro&quot; scripting language is a domain-specific languge designed specifically to be useful in the analysis of network data.</p>
187<h3 id="events"><span class="header-section-number">3.5.1</span> Events</h3>
188<p>Data gets delivered to Bro's scripting engine in &quot;events&quot;. Events are like functions that are called each time Bro's parsers conclude a phase of parsing from a file or network protocol.</p>
189<p>&quot;Events&quot; most often coincide with important protocol phases such as the arrival of a DNS query (dns_query) or the establishment of a TCP session (connection_established).</p>
190<ul>
191<li><p>For instance, if I was interested in saving all DNS queries seen by Bro in a data structure, I would add a script containg a &quot;dns_query&quot; event. Within the dns_query event, there would be code for extracting data from the event, and loading that data into a data structure.</p></li>
192<li><p>A list of all Events generated by protocol parsers is located at: http://www.bro.org/sphinx/scripts/base/event.bif.html</p></li>
193</ul>
194<h3 id="data-types"><span class="header-section-number">3.5.2</span> Data Types</h3>
195<p>Bro is a strongly typed programming language, all data in the Bro programming language must be dealt with explicitly according to its type. Being a domain specific programming language, Bro has a number of data types that are not common in general programming language. Below is a list of the most common data types in the Bro language.</p>
196<ul>
197<li><p><strong>addr</strong> - An “addr” is a type representing IPv4 and IPv6 addresses.</p>
198<pre><code>event connection_established(c: connection) {
199local a: addr;
200a = 10.1.1.1
201}</code></pre></li>
202<li><p><strong>string</strong> - A &quot;string&quot; is used to hold character‐strings.</p>
203<pre><code>event connection_established(c: connection) {
204local s: string;
205s = &quot;I'm a string&quot;;
206}</code></pre></li>
207<li><p><strong>table</strong> - A “table” is an associative array that maps one value (the index) to another value (the yield). ``` global TrackedSessions: table[addr] of string;</p></li>
208</ul>
209<p>event connection_established(c: connection) { TrackedSessions[c<span class="math"><em>i</em><em>d</em></span>orig_h] = c$uid }</p>
210<pre><code>* **record** - A “record” is a collection of values (much like a struct in other well‐known languages such as C++), each value has a field and a data type. Records can hold fields of any data type, regardless of the data type of the other fields.</code></pre>
211<p>export { type conn_id: record { orig_h: addr &amp;log orig_p: port &amp;log resp_h: addr &amp;log resp_p: port &amp;log }; }</p>
212<pre><code>
213* **subnet** - A type representing a block of IP addresses in CIDR notation. A subnet constant is written as an addr followed by a slash (/) and then the network prefix size specified as a decimal number. For example, 192.168.0.0/16 or [fe80::]/64.
214
215Subnets can be compared for equality (==, !=). An addr can be checked for inclusion in a subnet using the “in” or ”!in” operators.
216
217## Attributes
218Attributes occur at the end of type/event declarations and change their behavior. The syntax is &amp;key or &amp;key=val, e.g., type T: set[count] &amp;read_expire=5min or event foo() &amp;priority=-3. The Bro scripting language supports the following built-in attributes.
219
220* **&amp;redef** Allows for redefinition of initial object values. This is typically used with constants, for example, const clever = T &amp;redef; would allow the constant to be redefined at some later point during script execution.
221
222## Conditionals
223* **If** - If statements look like this:</code></pre>
224<p>if (condition) { print &quot;code!&quot;; }</p>
225<pre><code>
226## Loops
227* Bro supports &quot;For&quot; loops
228</code></pre>
229<p>local t: table[count] of string; for ( n in t ) ...</p>
230<p>local services: table[addr, port] of string; for ( [a, p] in services ) ...</p>
231<pre><code>
232## The Anatomy of an Event
233In this example we will be analyzing the **connection_established** event. The connection established event is, &quot;Generated when [Bro sees] a SYN-ACK packet from the responder in a TCP handshake.&quot; [7]
234</code></pre>
235<p>event connection_established (c: connection) { ... }</p>
236<pre><code>
237There are four parts to an event call:
238
2391. &quot;event&quot; - This tells Bro that event name will follow
2402. &quot;connection_established&quot; - This tells Bro which event you would like to &quot;hook&quot;
2413. &quot;(c: connection)&quot; - This illustrates that the event will be loaded with a variable named &quot;c&quot; and it will be of type &quot;connection&quot;
2424. &quot;{ ... }&quot; - The code for your Bro script should go between the two curly braces. It is represented by elipsis in this example.
243
244
245## The Connection Record
246A &quot;connection&quot; is a very common data type in Bro. If you understand how it works, you will be well on your way to understanding most data loaded in Bro events.
247
248A &quot;connection&quot; is not a primitive data type in Bro. Instead, it is a construct created in Bro script to deliver data for TCP connections in Bro. A &quot;connection&quot; is created with the primitive datatype &quot;record&quot;.
249
250Below is a sample of the information contained in a &quot;connection&quot; from Bro's documentation (https://www.bro.org/sphinx/scripts/base/init-bare.bro.html#type-connection).
251</code></pre>
252<p>id: conn_id The connection’s identifying 4-tuple. orig: endpoint Statistics about originator side. resp: endpoint Statistics about responder side. start_time: time The timestamp of the connection’s first packet. duration: interval The duration of the conversation. Roughly speaking, this is the interval between first and last data packet (low-level TCP details may adjust it somewhat in ambiguous cases). service: set [string] The set of services the connection is using as determined by Bro’s dynamic protocol detection. Each entry is the label of an analyzer that confirmed that it could parse the connection payload. While typically, there will be at most one entry for each connection, in principle it is possible that more than one protocol analyzer is able to parse the same data. If so, all will be recorded. Also note that the recorded services are independent of any transport-level protocols. ```</p>
253<h2 id="extracting-information-an-event"><span class="header-section-number">3.6</span> Extracting information an Event</h2>
254<p>Now that we understand more about the <strong>connection_established</strong> event, lets write a simple Bro script that extracts the source and destination addresses from network traffic and print them out.</p>
255<ol style="list-style-type: decimal">
256<li>Lets start with the code listed above when introducing the <strong>connection_established</strong> event.</li>
257</ol>
258<pre><code>event connection_established (c: connection) {
259
260
261}</code></pre>
262<ol start="2" style="list-style-type: decimal">
263<li>We now need to add code to extract information from &quot;c&quot; and print it out. Because &quot;c&quot; is of type &quot;record&quot; we can refer to the Bro documentation on how to interact with a &quot;record&quot;:</li>
264</ol>
265<pre><code>Access to a record field uses the dollar sign ($) operator:
266
267global r: MyRecordType;
268r$c = 13;
269</code></pre>
270<ol start="3" style="list-style-type: decimal">
271<li>According to Bro's documentation (see above) the &quot;c&quot; variable contains a field called &quot;id&quot; which contains, &quot;The connection’s identifying 4-tuple.&quot;. Using what we know about accessing fields from a record, extract and print the &quot;id&quot; field using &quot;print&quot; function.</li>
272</ol>
273<pre><code>event connection_established (c: connection) {
274    print c$id;
275}</code></pre>
276<h2 id="syntax-tips"><span class="header-section-number">3.7</span> Syntax Tips</h2>
277<ul>
278<li>Each statement of code must be punctuated with a semicolon</li>
279<li>A variable declaration follows the format:</li>
280<li>[global | local] variable_name: variable_type</li>
281</ul>
282<h2 id="workshop"><span class="header-section-number">3.8</span> Workshop</h2>
283<ul>
284<li>Connect to 'reservoirlabs' SSID, password: reservoirlabsftw</li>
285</ul>
286<h3 id="exercise-1-exploring-bro-logs-in-splunk"><span class="header-section-number">3.8.1</span> Exercise 1: Exploring Bro Logs in Splunk</h3>
287<ul>
288<li>Navigate your browser to: splunk:8000, u: admin, p: reservoirlabsftw</li>
289</ul>
290<ol style="list-style-type: decimal">
291<li>Did an SSH Brute force attack occcur? What are the source and destination IP addresses? What tool was used to conduct the attack? What country did the attack originate in?</li>
292<li>What type of files were downloaded by 10.10.100.139 yesterday?</li>
293<li>What Browsers does 10.10.100.139 use?</li>
294</ol>
295<h3 id="exercise-2-modifying-hello-script"><span class="header-section-number">3.8.2</span> Exercise 2: Modifying &quot;hello&quot; Script</h3>
296<ul>
297<li>Navigate your browser to: http://try.bro.com</li>
298<li>Open another tab for Bro's documentation at:
299<ul>
300<li>https://www.bro.org/sphinx/script-reference/index.html</li>
301<li>Use the &quot;search&quot; bar on the right hand side of the page to search the Bro documentation. (Note: Do not use the &quot;Google&quot; search bar)</li>
302</ul></li>
303</ul>
304<ol style="list-style-type: decimal">
305<li>Using what you learned in the lecture, change the &quot;bro_init&quot; event to the &quot;connection_established&quot; event</li>
306<li>Now change the text of the print statement to say &quot;connection_established&quot; and print the time (Note: search for the &quot;network_time() function in the Bro docs&quot;)</li>
307<li>Change the print statement again so that you print the data delivered by the connection_established event. (Note: search for the &quot;fmt()&quot; function in the Bro docs)</li>
308<li><p>Change the print statement again so that you only print connection records for responders in the subnet 192.168.1.0/24.</p></li>
309<li>https://www.bro.org/why_choose_bro.pdf</li>
310<li>http://en.wikipedia.org/wiki/Bro_%28software%29</li>
311<li>http://en.wikipedia.org/wiki/Network_tap</li>
312<li>http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/10570-41.html#anc0</li>
313<li>http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/san-consolidation-solution/net_implementation_white_paper0900aecd802cbe92.html</li>
314<li>https://supportforums.cisco.com/document/19196/limitations-span-and-rspan-cisco-catalyst-2950-3550-3560-and-3750-swtiches</li>
315<li><p>https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_TCP.events.bif.bro.html</p></li>
316</ol>
317</body>
318</html>