[Bro] Basic Question

[Siwek, Jonathan Luke]

> Any troubleshooting tips? I also know that the connection to the sensor is being established - I'm entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor).

You could use tcpdump to see if any packets are actually sent after the connection is made.  Sometimes communication.log can have relevant information.  And there's some pybroccoli documentation at [1] if you haven't read it yet.  You might also try to get an even more minimal test to work first, like instead of using broctl, run bro from the command line as `bro -b -i <iface> ./test.bro`.

test.bro:

   @load frameworks/communication/listen
    redef Communication::listen_port = 47760/tcp;

    global my_event: event(cid: conn_id);

    event new_connection(c: connection)
        {
        print "new_connection", c$id;
        event my_event(c$id);
        }

test.py:

    #! /usr/bin/env python

    from broccoli import *

    conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")

    @event(conn_id)
    def my_event(cid):
        print "my_event", cid

    bc = Connection("127.0.0.1:47760")

    while True:
        bc.processInput()

And if that works, then you can try moving the event declaration/handler in to share/bro/site/local.bro to see test.py works from your standalone broctl setup.

A couple other things about the example above:

1) For events that have record type parameters, they have to be defined in the python script.

2) The "connection" type parameter for the "new_connection" event is pretty complex, so I've declared "my_event" to be more deliberate in picking out only a few fields.

    Jon

[1] http://www.bro-ids.org/documentation/components/broccoli-python/README.html