[Bro] Basic Question

Justin Thomas justin at justinthomas.name
Thu Dec 6 09:18:21 PST 2012


Argh - no tabs in Gmail.

@event
def new_connection(connection):
    print connection

while True:
    bc.processInput()

...and still don't see any activity despite seeing lots of messages in
conn.log.

Any troubleshooting tips? I also know that the connection to the sensor is
being established - I'm entering the script interactively via ipython and
no errors are generated (and I see the connected socket via netstat on the
sensor).

On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas <justin at justinthomas.name>wrote:

> It actually is configured as standalone - my mistake.
>
> I changed my python script to:
>
> from broccoli import *
> bc = Connection("10.0.0.1:47760")
>
> @event
> def new_connection(event):
>
>
> On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas <justin at justinthomas.name>wrote:
>
>> From here:
>> http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events
>>
>> I guess the "old" in the URL should have tipped me off. I had some
>> trouble finding descriptions of built-in events, so I just grabbed the
>> first thing that looked reasonable. I'll look over the document you linked
>> below. I did try using the "new_connection" event with similar results
>> (i.e., none), so your comment on the cluster configuration may also be a
>> sticking point for me.
>>
>> I'll look over my configuration with that note about the manager not
>> generating the protocol events in mind; I'm not sure on the specifics (if I
>> recall correctly, I think I configured it as a cluster for future expansion
>> but am only running on one machine right now).
>>
>>
>> On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth at icir.org> wrote:
>>
>>>
>>> On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin at justinthomas.name>
>>> wrote:
>>>
>>> > @event
>>> > def ssl_conn_attempt(connection, version, ciphers):
>>>
>>> Where did you get this event from?  That is an old event that was
>>> removed prior to the 2.0 release.  You can refer to the following link for
>>> all of our current (2.1 release) analyzer generated events:
>>>         http://bro-ids.org/documentation/scripts/base/event.bif.html
>>>
>>> Are you running Bro with BroControl in standalone mode too?  If you run
>>> a cluster and you only connect to your manager you won't see these events
>>> either because the protocol events aren't being generated on the manager.
>>>  It looks like you're doing the right things in your python script though.
>>>
>>>   .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro-ids.org/
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/c8d8d059/attachment.html 


More information about the Bro mailing list