[Bro] Problem with Broccoli connection

Daniel Wyschogrod dwyschogrod at bbn.com
Mon Dec 3 08:28:30 PST 2012 

Seth,

I think I've tracked down the problem, but it leads to another mystery.  In my local.bro file, as I've pointed out, I have inserted the line:

redef Communication::listen_port = 12345/tcp;

In the barnyard2.conf file, I've added:

output alert_bro: 127.0.0.1:12345

I'm expecting, of course, a connection on port 12345.  However, when I did a "netstat -l", I discovered that the bro process was listening on port 47760! The output from netstat -l was:

tcp        0      0 0.0.0.0:47760           0.0.0.0:*               LISTEN      6326/bro 

When I changed the barnyard2.conf to:

output alert_bro: 127.0.0.1:47760

the connection took place as expected.  In addition, py-broccoli makes the connection as well when i use:
Connection("127.0.0.1:47760")

On further investigation, I found that a bro file was generated in spool/installed-scripts-do-not-touch/auto called standalone-layout.bro.  Its content is:

# Automatically generated. Do not edit.
redef Communication::listen_port = 47760/tcp;
redef Communication::nodes += {
        ["control"] = [$host=127.0.0.1, $zone_id="", $class="control", $events=Control::controller_events],
};

The 47760 port is the same in the standalone-layout.bro no matter what I set the listen_port to in local.bro.  Where does the 47760 port come from and what can I do to use a different port?

Thanks again,
Dan

____________________
Dan Wyschogrod

Senior Scientist
Cyber Security
Raytheon/BBN Technologies

dwyschogrod at bbn.com




On Dec 3, 2012, at 8:53 AM, Seth Hall <seth at icir.org> wrote:

> 
> On Dec 3, 2012, at 12:04 AM, Seth Hall <seth at icir.org> wrote:
> 
>> 
>> On Dec 2, 2012, at 9:47 PM, Daniel Wyschogrod <dwyschogrod at bbn.com> wrote:
>> 
>>> 	["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
>>> 	};
>> 
>> You need two commas in that event name. 
> 
> Arg!  Two colons. :)  You could even just use /Barnyard2::.*/
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2593 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121203/9fd080a9/attachment.bin

More information about the Bro mailing list