[Bro] Basic Question

Justin Thomas justin at justinthomas.name
Thu Dec 6 14:41:55 PST 2012 

You're a miracle worker!

Instead of running it locally, I first tried just modifying site/local.bro
by adding your snippet:

global my_event: event(cid: conn_id);

event new_connection(c: connection) {
  print "new_connection", c$id;
  event my_event(c$id);
}

...and changing my Python script as you described below (pointing to my
sensor instead of localhost). Sure enough, it's printing all kinds of stuff
now.

I'll work with this some more to be sure I fully understand it. My working
assumption is that the lack of the proper record_type in Python was my main
hang-up.

Thanks!

On Thu, Dec 6, 2012 at 2:28 PM, Siwek, Jonathan Luke <jsiwek at illinois.edu>wrote:

>
> > Any troubleshooting tips? I also know that the connection to the sensor
> is being established - I'm entering the script interactively via ipython
> and no errors are generated (and I see the connected socket via netstat on
> the sensor).
>
> You could use tcpdump to see if any packets are actually sent after the
> connection is made.  Sometimes communication.log can have relevant
> information.  And there's some pybroccoli documentation at [1] if you
> haven't read it yet.  You might also try to get an even more minimal test
> to work first, like instead of using broctl, run bro from the command line
> as `bro -b -i <iface> ./test.bro`.
>
> test.bro:
>
>    @load frameworks/communication/listen
>     redef Communication::listen_port = 47760/tcp;
>
>     global my_event: event(cid: conn_id);
>
>     event new_connection(c: connection)
>         {
>         print "new_connection", c$id;
>         event my_event(c$id);
>         }
>
> test.py:
>
>     #! /usr/bin/env python
>
>     from broccoli import *
>
>     conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")
>
>     @event(conn_id)
>     def my_event(cid):
>         print "my_event", cid
>
>     bc = Connection("127.0.0.1:47760")
>
>     while True:
>         bc.processInput()
>
> And if that works, then you can try moving the event declaration/handler
> in to share/bro/site/local.bro to see test.py works from your standalone
> broctl setup.
>
> A couple other things about the example above:
>
> 1) For events that have record type parameters, they have to be defined in
> the python script.
>
> 2) The "connection" type parameter for the "new_connection" event is
> pretty complex, so I've declared "my_event" to be more deliberate in
> picking out only a few fields.
>
>     Jon
>
> [1]
> http://www.bro-ids.org/documentation/components/broccoli-python/README.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121206/7b3f6bff/attachment.html

More information about the Bro mailing list