[Bro] Some events not received by broccoli

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Dec 3 09:54:57 PST 2013


On Nov 22, 2013, at 9:04 AM, Björn Samvik <Bjorn.Samvik at netclean.com> wrote:

> Hello,
> 
> I'm using broccoli to receive bro (2.2-5) events and are having some problems. Consider the following.
> 
> The broccoli client is listening to 2 events.
> bro_event_registry_add(m_bc, "file_new", (BroEventFunc)&Broccoli::newFile, this);
> bro_event_registry_add(m_bc, "test_event", (BroEventFunc)&Broccoli::newFile, this);
> 
> The following bro script is used.
> 
> ...
> global test_event: event(f: fa_file);
> event file_new(f: fa_file)
> { 
>     event test_event(f);
> }
> 
> The file_new event is correctly received by my broccoli client however the test_event is not received. If I change the content of the test_event to something else it works.
> 
> ...
> global test_event: event(f: string);
> event file_new(f: fa_file)
> { 
>     event test_event(f$mime_type);
> }
> 
> So, is this expected and in that case why and what is the proposed way of solving the issue?
> 
> (Also noticed that the file_state_removed(f: fa_file) event is not received by the broccoli client.)

It’s somewhat of a bug in broccoli: it doesn't support receiving events that have arguments containing vector values and silently discards those that do.  The reason why file_new is received, but not test_event/file_state_removed is because the fa_file record argument starts off with some optional vector fields that aren’t initialized and they later become populated by some Bro scripts before test_event/file_state_removed make it through the event queue.

I’ve patched broccoli [1] to be able to receive vectors, which should fix your problem if you want to try it.  Otherwise, the workaround is to send the broccoli client simpler data types (Bro connection/fa_file/*::Info records can get complicated), perhaps picking out just pieces you need.

- Jon

[1] https://bro-tracker.atlassian.net/browse/BIT-1100



More information about the Bro mailing list