[Bro] Basic Question
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Dec 6 14:28:12 PST 2012
> Any troubleshooting tips? I also know that the connection to the sensor is being established - I'm entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor).
You could use tcpdump to see if any packets are actually sent after the connection is made. Sometimes communication.log can have relevant information. And there's some pybroccoli documentation at  if you haven't read it yet. You might also try to get an even more minimal test to work first, like instead of using broctl, run bro from the command line as `bro -b -i <iface> ./test.bro`.
redef Communication::listen_port = 47760/tcp;
global my_event: event(cid: conn_id);
event new_connection(c: connection)
print "new_connection", c$id;
#! /usr/bin/env python
from broccoli import *
conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")
print "my_event", cid
bc = Connection("127.0.0.1:47760")
And if that works, then you can try moving the event declaration/handler in to share/bro/site/local.bro to see test.py works from your standalone broctl setup.
A couple other things about the example above:
1) For events that have record type parameters, they have to be defined in the python script.
2) The "connection" type parameter for the "new_connection" event is pretty complex, so I've declared "my_event" to be more deliberate in picking out only a few fields.
More information about the Bro