[Bro] Getting SSL events into Python

Johanna Amann johanna at icir.org
Tue Feb 14 13:20:49 PST 2017

Hello Karol,

by default, events that are handled locally inside of Bro are not sent
anywhere else; for core-raised events, you will have to re-raise them
(with a different name to not cause any issues), and set your
communication preferences so that the raised event will be forwarded to
broccoli (like done in broping.bro).

I hope this helps,

On Mon, Jan 30, 2017 at 03:34:53PM +0100, Karol Babioch wrote:
> Hi,
> I'm currently researching SSL/TLS handshakes and want to process several
> events Bro provides with the SSL plugin. I've installed Bro along with
> broccoli and broccoli-python and the "broping" example (from the test
> directory) is working just fine. For each "ping" event I sent to Bro, a
> "pong" is received and processed in my Python script.
> However, in case of the SSL my callbacks are never executed. The most
> simplified version looks something like this:
> > #! /usr/bin/env python
> > 
> > from broccoli import *
> > 
> > @event
> > def ssl_established(c):
> >     print('established')
> > 
> > bc = Connection("")
> > 
> > while True:
> >     bc.processInput()
> To my understanding I don't even have to load the SSL plugin, since it
> resides within "base", but nevertheless my local.bro contains the following:
> > @load broping
> > @load base/protocols/ssl
> When starting Bro and executing the Python script mentioned above,
> nothing happens, even if SSL traffic is going through the interface
> (and/or coming from a recorded pcap). I've also tried to register
> callbacks for various other SSL related events (ssl_client_hello,
> ssl_server_hello, etc.), but in no case were my callbacks invoked.
> The only difference to the "broping.py" from the examples, is that I'm
> not sending any events, but just want to receive them (hence I'm calling
> processInput() regularly).
> What am I missing here? Do I somehow need to enable the SSL
> functionality within Bro? How can I further debug the problem?
> Any help is very much appreciated, since I've spent a fair amount of
> time on this already, with no real progress.
> Thank you very much!
> Best regards,
> Karol Babioch

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list