[Bro] Basic Question

Thu Dec 6 13:54:40 PST 2012

Here is a gist with my current efforts:

https://gist.github.com/4227811

I've tried all kinds of things - including adding my client node to the
"Communication::nodes" table on the bro sensor. That allowed me to see
"peerstatus" information using broctl when I connected using the Python
script, but my callback still never fired despite all kinds of connections
being logged in conn.log.

I'm not sure where to look next - I've read every example I can find. Any
tips would be helpful.

Thanks!

On Thu, Dec 6, 2012 at 9:18 AM, Justin Thomas <justin at justinthomas.name>wrote:

> Argh - no tabs in Gmail.
>
> @event
> def new_connection(connection):
>     print connection
>
> while True:
>     bc.processInput()
>
> ...and still don't see any activity despite seeing lots of messages in
> conn.log.
>
> Any troubleshooting tips? I also know that the connection to the sensor is
> being established - I'm entering the script interactively via ipython and
> no errors are generated (and I see the connected socket via netstat on the
> sensor).
>
> On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas <justin at justinthomas.name>wrote:
>
>> It actually is configured as standalone - my mistake.
>>
>> I changed my python script to:
>>
>> from broccoli import *
>> bc = Connection("10.0.0.1:47760")
>>
>> @event
>> def new_connection(event):
>>
>>
>> On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas <justin at justinthomas.name>wrote:
>>
>>> From here:
>>> http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events
>>>
>>> I guess the "old" in the URL should have tipped me off. I had some
>>> trouble finding descriptions of built-in events, so I just grabbed the
>>> first thing that looked reasonable. I'll look over the document you linked
>>> below. I did try using the "new_connection" event with similar results
>>> (i.e., none), so your comment on the cluster configuration may also be a
>>> sticking point for me.
>>>
>>> I'll look over my configuration with that note about the manager not
>>> generating the protocol events in mind; I'm not sure on the specifics (if I
>>> recall correctly, I think I configured it as a cluster for future expansion
>>> but am only running on one machine right now).
>>>
>>>
>>> On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth at icir.org> wrote:
>>>
>>>>
>>>> On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin at justinthomas.name>
>>>> wrote:
>>>>
>>>> > @event
>>>> > def ssl_conn_attempt(connection, version, ciphers):
>>>>
>>>> Where did you get this event from?  That is an old event that was
>>>> removed prior to the 2.0 release.  You can refer to the following link for
>>>> all of our current (2.1 release) analyzer generated events:
>>>>         http://bro-ids.org/documentation/scripts/base/event.bif.html
>>>>
>>>> Are you running Bro with BroControl in standalone mode too?  If you run
>>>> a cluster and you only connect to your manager you won't see these events
>>>> either because the protocol events aren't being generated on the manager.
>>>>  It looks like you're doing the right things in your python script though.
>>>>
>>>>   .Seth
>>>>
>>>> --
>>>> Seth Hall
>>>> International Computer Science Institute
>>>> (Bro) because everyone has a network
>>>> http://www.bro-ids.org/
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/c19f749d/attachment.html 