[Bro] broclient and NOTICE()
Sean McCreary
mccreary at ucar.edu
Mon Feb 16 22:34:00 PST 2009
I'm having trouble feeding events to bro v1.4 using broclient. I built
broclient using the source in aux/broccoli/contrib, and configured bro
to listen for remote connections. This setup will sometime crash with
the run-time error messages like this:
> 1234849021.842185 run-time error: peer 10000 does not exist
> 1234849021.842185 /usr/local/bro/share/bro/notice.bro, line 261 (n$src_peer): internal error: field value missing
I dug a little in the source, and it seems like n$src_peer should be set
automatically by get_event_peer(), and internal function in the event
engine. Before digging deeper in the bro source, I thought I'd ask if
anyone has seen this before, or if I'm doing something obviously wrong.
Here's the relevant bro code that causes the error:
> ## Track ssh logins using info from syslog
> @load listen-clear
> @load remote
>
> redef listen_if_clear = 127.0.0.1;
> redef Remote::destinations += {
> ["syslog"] = [$host = 127.0.0.1, $events = /.*/, $connect=F],
> };
>
> redef enum Notice += { NewSSHConn };
> global ssh_conns: set[string, addr, string, string] &persistent;
>
> redef notice_policy += {
> # Email when a user logs in from a new client or using
> # a different authenticator
> [$pred(n: notice_info) =
> {
> return n$note == NewSSHConn;
> },
> $result = NOTICE_EMAIL,
> $priority = 1],
> };
>
> event ssh_login(server:string, authtype:string, user:string, client:addr) {
> if ( [server, client, user, authtype] !in ssh_conns ) {
> add ssh_conns[server, client, user, authtype];
> NOTICE([$note=NewSSHConn, $src=client,
> $msg=fmt("New SSH connection %s->%s:%s@%s",
> client, user, authtype, server)]);
> };
> };
I can trigger the error with the following command:
> echo "ssh_login string=server string=authtype string=user addr=1.2.3.4" | /usr/local/bro/bin/broclient
More information about the Bro
mailing list