testing cross bro communication

Christian Kreibich christian at whoop.org
Tue Jun 22 15:04:21 PDT 2004


On Tue, 2004-06-22 at 14:18, scott campbell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I have begun testing the cross-bro communication functionality, and have 
> a few problems.  Are there any example configurations that I might look 
> at?  Currently I have boxes acknowledging one another, but am having 
> difficulty getting events to move across.
> 
> Does anybody have any sort of documentation or examples?  Anything would 
> be helpful at this point...

I'm sure Robin will have all the definitive answers for you but I can
point out one caveat when it comes to testing the comms stuff that might
sound a bit funny: make sure Bro is busy. I believe the current event
loop needs to see packets on the monitored interfaces to keep the loop
going (and thus allow event I/O to be processed). If somebody could
acknowledge or disprove that this is the case that would be most
helpful!

Documentation is still scarce but if you have the Bros acking each other
you should basically be set.

The latest Broccoli release contains a "broping" test tool that will
send a "ping" event to a Bro, and with broping.bro policy (included in
the tarball) running on the remote Bro you should get to see "pong"
events coming back:

cpk25 at localhost:/home/cpk25/devel/broccoli > ./test/broping
pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s
pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s
pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s
pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s
pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s
pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s

You can snarf a copy at http://www.cl.cam.ac.uk/~cpk25/vern .

Good luck,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org





More information about the Bro mailing list