[Bro] icmp events (custom and original) not firing? (now with line breaks!)
swells at cyberadapt.com
Tue Mar 3 07:54:52 PST 2015
It's been awhile since I've used a mailing list. Didn't add line breaks. Sorry.
So let's try this again for better readability.
I am writing a C++ program to interface with Bro, using Broccoli.
According to this [Bro] Mailing List message (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-December/007844.html),
I need to create my own events that only use certain fields from the conn_id bro record.
I followed the example in the post, using the 'dns_message' event as a test.
1) In bro/share/bro/base/bif/plugins/Bro_DNS.events.bif.bro, I added this line after line 26:
global dns_message_test: event(cid: conn_id, is_orig: bool , msg: dns_msg , len: count );
2) In bro/share/bro/base/protocols/dns/main.bro, in the 'event dns_message' event (ln 286),
I added this at the bottom of the event: event dns_message_test(c$id, is_orig, msg, len);
3) Then, in my main function, I add it to the registry with something like:
bro_event_registry_add_compact(f_broPtr, "dns_message_test", (BroCompactEventFunc) event_cb, NULL);
And my 'event_cb' callback function is called and everything seems good.
However, I then wanted to try with icmp_time_exceeded and icmp_packet_too_big (which is part of what I'm after):
In bro/share/bro/base/bif/plugins/Bro_ICMP.events.bif.bro, I add a '_test' event to both:
global icmp_packet_too_big_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );
global icmp_time_exceeded_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );
1) There is only one 'event icmp*' function block, and that's in /bro/share/bro/policy/misc/detect-traceroute/main.bro
for 'icmp_time_exceeded'. This has an associated 'event icmp_time_exceeded' (line 98).
I add my 'icmp_time_exceeded_test(c$id, icmp, code, context)' line in that
function and register it with another bro_event_registry_add_compact line in
my C code, but the event (original and my _test version) never fires.
I'm not sure I'm using the correct 'event icmp' since the detect-traceroute
comments say it's for a Time Exceeded threshold, and I'm more interested
in capturing ANY Time exceeded event.
2) Given 1), I cannot find a 'main.bro' file with 'event icmp_packet_too_big',
and so that event (original and _test version) never fires, either.
I am very new to DPI, so I may be missing something obvious. Any help greatly appreciated.
>>>CONFIDENTIALITY NOTICE>>> This electronic mail message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of the sending organization. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left to the sole responsibility of that of the sender, and are not necessarily attributed to the sending organization. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. If you are not the intended recipient, please contact the sender by replying to this electronic mail message, along with the destruction of all copies of the original electronic mail message (along with any attachments).
More information about the Bro