BroAPT-Core Framework

The BroAPT-Core framework is the extraction framework for the BroAPT system. For more information about the framework, please refer to previous documentation at BroAPT-Core Extration Framework.

Bro Scripts

• Module Entry
• Configurations
• MIME-Extension Mappings
• FileExtraction Module
• Extract by Protocol
• Extract by MIME Type
• Site Customisations

Python Modules

• Module Entry
• System Entrypoint
  • __main__.PCAP_MGC
  • __main__.is_pcap()
  • __main__.listdir()
  • __main__.parse_args()
  • __main__.check_history()
  • __main__.main_with_args()
  • __main__.main_with_no_args()
  • __main__.main()
• Bro Script Composer
  • Introduction
  • Functions
    • compose.file_salt()
    • compose.compose()
    • compose.escape()
  • Constants
    • Auxiliaries
      • compose.ROOT
      • compose.BOOLEAN_STATES
    • Bro Configs
      • compose.LOGS_PATH
      • compose.PCAP_PATH
      • compose.MIME_MODE
      • compose.HASH_MODE_MD5
      • compose.HASH_MODE_SHA1
      • compose.HASH_MODE_SHA256
      • compose.X509_MODE
      • compose.ENTROPY_MODE
      • compose.DUMP_PATH
      • compose.SIZE_LIMIT
      • compose.JSON_MODE
      • compose.LOAD_MIME
      • compose.LOAD_PROTOCOL
    • Subsitute Patterns
      • compose.FILE_TEMP
      • compose.MIME_REGEX
      • compose.LOGS_REGEX
      • compose.HASH_REGEX_MD5
      • compose.HASH_REGEX_SHA1
      • compose.HASH_REGEX_SHA256
      • compose.X509_REGEX
      • compose.ENTR_REGEX
      • compose.JSON_REGEX
      • compose.SALT_REGEX
      • compose.FILE_REGEX
      • compose.PATH_REGEX
      • compose.SIZE_REGEX
      • compose.LOAD_REGEX
• Common Constants
  • const.ROOT
  • const.BOOLEAN_STATES
  • const.CPU_CNT
  • const.INTERVAL
  • const.DUMP_PATH
  • const.PCAP_PATH
  • const.LOGS_PATH
  • const.MIME_MODE
  • const.BARE_MODE
  • const.NO_CHKSUM
  • const.HOOK_CPU
  • const.FILE
  • const.TIME
  • const.STDOUT
  • const.STDERR
  • const.QUEUE_LOGS
  • const.QUEUE
• Bro Log Parser
  • Dataclasses
    • logparser.TEXTInfo
      • logparser.TEXTInfo.format
      • logparser.TEXTInfo.path
      • logparser.TEXTInfo.open
      • logparser.TEXTInfo.close
      • logparser.TEXTInfo.context
      • logparser.TEXTInfo.exit_with_error
    • logparser.JSONInfo
      • logparser.JSONInfo.format
      • logparser.JSONInfo.context
  • Field Parsers
    • logparser.set_separator
    • logparser.empty_field
    • logparser.unset_field
    • logparser.set_parser()
    • logparser.vector_parser()
    • logparser.str_parser()
    • logparser.port_parser()
    • logparser.int_parser()
    • logparser.count_parser()
    • logparser.addr_parser()
    • logparser.subnet_parser()
    • logparser.time_parser()
    • logparser.float_parser()
    • logparser.interval_parser()
    • logparser.enum_parser()
    • logparser.bool_parser()
    • logparser.type_parser
  • Log Parsers
    • logparser.parse_text()
    • logparser.parse_text()
    • logparser.parse()
  • Module Entry
    • logparser.main()
• Extraction Process
  • process.process()
  • communicate()
  • process.SALT_LOCK
  • process.STDOUT_LOCK
  • process.STDERR_LOCK
  • process.ExtractWarning
• Bro Logs Processing
  • Hook Mainloop
    • remote.remote_proc()
    • remote.remote_logs()
    • remote.remote()
    • hook()
    • wrapper_logs()
    • wrapper_func()
  • Warnings
    • remote.HookWarning
  • Signal Handling
    • Bundled Implementation
      • remote.join_logs()
      • remote.JOIN_LOGS
    • Cluster Implementation
      • remote.join()
      • remote.JOIN
• Auxiliaries & Utilities
  • utils.suppress()
  • utils.file_lock()
  • utils.print_file()
  • utils.redirect()
  • utils.is_nan()
• Site Customisations
  • sites.HOOK
  • sites.EXIT

Wrapper Scripts

For the Docker container, we have created some Shell/Bash wrapper scripts to make the life a little bit better.

Bundled Implementation

File location:

source/client/init.sh

#!/usr/bin/env bash

set -aex

# change curdir
cd /broapt

# load environs
if [ -f .env ] ; then
    source .env
fi

# compose Bro scripts
/usr/bin/python3.6 python/compose.py

# run scripts
/usr/bin/python3.6 python $@

# sleep
sleep infinity

Cluster Implementation

File location:

cluster/core/source/init.sh

#!/usr/bin/env bash

set -aex

# change cwd
cd /source

# load environs
if [ -f .env ] ; then
    source .env
fi

# compose Bro scripts
/usr/bin/python3.6 python/compose.py

# run scripts
/usr/bin/python3.6 python $@

# sleep
sleep infinity