[Bro] Getting SSL events into Python

Karol Babioch karol at babioch.de
Mon Jan 30 06:34:53 PST 2017


I'm currently researching SSL/TLS handshakes and want to process several
events Bro provides with the SSL plugin. I've installed Bro along with
broccoli and broccoli-python and the "broping" example (from the test
directory) is working just fine. For each "ping" event I sent to Bro, a
"pong" is received and processed in my Python script.

However, in case of the SSL my callbacks are never executed. The most
simplified version looks something like this:

> #! /usr/bin/env python
> from broccoli import *
> @event
> def ssl_established(c):
>     print('established')
> bc = Connection("")
> while True:
>     bc.processInput()

To my understanding I don't even have to load the SSL plugin, since it
resides within "base", but nevertheless my local.bro contains the following:

> @load broping
> @load base/protocols/ssl

When starting Bro and executing the Python script mentioned above,
nothing happens, even if SSL traffic is going through the interface
(and/or coming from a recorded pcap). I've also tried to register
callbacks for various other SSL related events (ssl_client_hello,
ssl_server_hello, etc.), but in no case were my callbacks invoked.

The only difference to the "broping.py" from the examples, is that I'm
not sending any events, but just want to receive them (hence I'm calling
processInput() regularly).

What am I missing here? Do I somehow need to enable the SSL
functionality within Bro? How can I further debug the problem?

Any help is very much appreciated, since I've spent a fair amount of
time on this already, with no real progress.

Thank you very much!

Best regards,
Karol Babioch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170130/44105c64/attachment.bin 

More information about the Bro mailing list