[Bro] Debugging Policies and Print Statement
Chris Green
greencm at gmail.com
Mon May 28 12:48:06 PDT 2012
Good day,
I'm using bro version 2.0-372 with a new git checkout from master as of
2012-05-27 on Centos6. I'm having an issue where the print statement in
the policy debugger displays nothing. Breakpoints and stack tracks seem to
work correctly but not being able to inspect variables is making playing
with policies frustrating.
Is this a known issue or is there some type of preprocessing make
inspection work?
Thanks,
Chris
In bro_init() at /usr/local/bro/share/bro/base/utils/site.bro:155
155 local_dns_suffix_regex = set_to_regex(local_zones,
"(^\\.?|\\.)(~~)$");
(Bro [0]) break http_entity_data
Setting breakpoint on http_entity_data:
There are multiple definitions of that event handler.
Please choose one of the following options:
[1] /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro:79
[2] /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
[3] /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro:32
[4] /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro:85
[a] All of the above
[n] None of the above
Enter your choice: 2
Breakpoint 1 set at http_entity_data at
/usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
(Bro [1]) c
Continuing.
Breakpoint 1, http_entity_data(c = '[id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], orig=[size=121,
state=4, num_pkts=4, num_bytes_ip=216, flow_label=0], resp=[size=3095,
state=4, num_pkts=4, num_bytes_ip=1963, flow_label=0],
start_time=1338087055.218736, duration=0.27459, service={
}, addl=, hot=0, history=ShACad, uid=cTLeNAfgQo2, dpd=<uninitialized>,
conn=[ts=1338087055.218736, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], proto=tcp,
service=<uninitialized>, duration=<uninitialized>,
orig_bytes=<uninitialized>, resp_bytes=<uninitialized>,
conn_state=<uninitialized>, local_orig=T, missed_bytes=121,
history=<uninitialized>, orig_pkts=<uninitialized>,
orig_ip_bytes=<uninitialized>, resp_pkts=<uninitialized>,
resp_ip_bytes=<uninitialized>], extract_orig=F, extract_resp=F,
dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
http=[ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0,
method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>,
referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0,
response_body_len=0, status_code=200, status_msg=OK,
info_code=<uninitialized>, info_msg=<uninitialized>,
filename=<uninitialized>, tags={
}, username=<uninitialized>, password=<uninitialized>, capture_password=F,
proxied=<uninitialized>, mime_type=application/x-dosexec, first_chunk=T,
md5=<uninitialized>, calc_md5=F, calculating_md5=F,
extraction_file=<uninitialized>, extract_file=F], http_state=[pending={
[0] = [ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0,
method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>,
referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0,
response_body_len=0, status_code=<uninitialized>,
status_msg=<uninitialized>, info_code=<uninitialized>,
info_msg=<uninitialized>, filename=<uninitialized>, tags={
}, username=<uninitialized>, password=<uninitialized>,
capture_password=F, proxied=<uninitialized>, mime_type=<uninitialized>,
first_chunk=T, md5=<uninitialized>, calc_md5=F, calculating_md5=F,
extraction_file=<uninitialized>, extract_file=F],
[1] = [ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0,
method=<uninitialized>, host=<uninitialized>, uri=<uninitialized>,
referrer=<uninitialized>, user_agent=<uninitialized>, request_body_len=0,
response_body_len=0, status_code=200, status_msg=OK,
info_code=<uninitialized>, info_msg=<uninitialized>,
filename=<uninitialized>, tags={
}, username=<uninitialized>, password=<uninitialized>,
capture_password=F, proxied=<uninitialized>,
mime_type=application/x-dosexec, first_chunk=T, md5=<uninitialized>,
calc_md5=F, calculating_md5=F, extraction_file=<uninitialized>,
extract_file=F]
}, current_request=0, current_response=1], irc=<uninitialized>,
smtp=<uninitialized>, smtp_state=<uninitialized>, ssh=<uninitialized>,
ssl=<uninitialized>, syslog=<uninitialized>, known_services_done=F]',
is_orig = 'F', length = '1500', data =
'MZ\x90\0^C\0\0\0^D\0\0\0\xff\xff\0\0\xb8\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x80\0\0\0^N\x1f\xba^N\0\xb4^I\xcd!\xb8^AL\xcd!This
program cannot be run in DOS
mode.^M^M^J$\0\0\0\0\0\0\0PE\0\0L^A^C\0`\xdf\x9cO\0\xe2!\0\0\0\0\0\xe0\0/^C^K^A^B^V\0\xd0^I\0\0\0^A\0\0\xc0^Y\0^P\x85#\0\0\xd0^Y\0\0\xa0#\0\0\0@\0\0^P\0\0\0^B\0\0^D\0\0\0^A\0\0\0^D\0\0\0\0\0\0\0\0\xa0$\0\0^P\0\0\0\0\0\0^B\0\0\x80\0\0
\0\0^P\0\0\0\0^P\0\0^P\0\0\0\0\0\0^P\0\0\0\0\0\0\0\0\0\0\0^T\x9a$\0l^B\0\0\0\xa0#\0^T\xfa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xf0\x90#\0^X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0\xc0^Y\0\0^P\0\0\0\0\0\0\0^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x80\0\0\xe0UPX1\0\0\0\0\0\xd0^I\0\0\xd0^Y\0\0\xc2^I\0\0^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0@
\0\0\xe0.rsrc\0\0\0\0\0^A\0\0\xa0#\0\0\xfe\0\0\0\xc4^I\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\xc03.07\0UPX!^M^I^N^G\x8c*]\xc2\xf4\x96\xc3\xc8\xd3e#\0\xf2\xb4^I\0\x1d\xe2!\0&\x1e\0\xb0^Z^C\0*\xa2X\xa54\x1ec\x1d\xbe^Wo\xc6UdK\xb5\xd9/kuB"\x9e^Q\xa5e\xe73\x1f\xc6Z\x91^Q\x8e\xd8\x97^BF\xba^P\xbdp\x92\xb4"7/\x92,\xf3\x9eg\x90\xfe^T\xfa|\xb7\xba\x8d0^T,\xf6K\x9a\xdf`:\x9e\xceJ\xe8\x98u\xa4(\xe2(\xd0H)^C\x90\x95>q\xca
\xfa^D\x963\xff2\x86QD'\xe0\xf5\x9a,\x9d^H4V\xda\xd5\xd0\xb5[^E|\x8e\xfd\x83\xd8^U\xa9\xd7^F^S\xa7\xe9\x91\xc7
~\xd3\xc7^B\x90\x1en\xbb\xe6\xa2\xb5\x8e\xe7\xf7\xbe\xc5\x86g\xe2^W\xff\xd2RG\xd6\xb2P\xd9\x8a\x8f\xf5^D]B|i\x9c\x97W\xf8^NL\x8a\x9dsk\xdac\xb5^V\xe3\xa0\xf14\x94^K\xb8\xff^ER\xfa\xe4\xf8\x955\xdd\xa1\xa8\0^Y^Qr/^E\x9a\xb4\xee}\xde\xb7@
\xf2\x92^N/\xe4L\xc5\xd3\xebT\xcb\xa1&\x90^A\xbcC\xd9\xdaW\x9f^A^Vbt\x9f\xb1\x81\x1dX^Mx^\xeb6^H{v\xeeA\xeeAA\x9eD\x81E\xe1\xdeA\xa8\x1f^U\xe6\xd2\xbcr\xf1cIc\xac^TB\x8d\xd8\x8a\xf5\xd1L\xac\xd9\xad\xbb%\xc8=^J\x87\x1b\x89\xa46\x8d;d\xfd\xd8$\xf7=Y^I\xdev\x85]h^BNT\x9c^UL8\xb9%M^Y\x83\xc0C^G\xa1\xd9L^S\x854\xdfi^A\xf8;\xe9\x90^Hj@
^\x1fO^S:\xfc%\xf9*\\x98\x1e\xf2b\xcc\xb3^Y^Ga\xa0\xf5tw;\xddg^?^CG\x8f\x88\xef^B\xbb\xcd=^Thn\x1b\xa3^O\xf1^E\xb5\xa1\0@
\x85\xe0\x8b\xf5^GW\xc0\x94\x8a\xee\xa7^T\x99\xd7qq'6\xa9X\xe4#;\xefg4D\x82^G\l\xbbH\x82\xbc\xc2G\xf7\xca\x9f\xa5K@
\x1e\xe7lB^O\xe3\xbd+\xf4\xa1\x89\xd1@
\xc4\xc6\xd6\x1b^U^Fpf\x89h\xc3G\xf3\x88o^Fg\xe7#q\x9d\x1d\xd9\xa1,\x81\xc6\x9bF^R^P^\xd5H)()^T8\xebT\x86\xc0\xd8\x1c_\x95\xe6\xab\x82l=\x82v\x90\xb2g\xf6O\xecE(\xa0\xceR\6)^OX[\xea\xcf\x89^Qd\xbeg^Q\xc7\xc0\xed\x90FG\x80:/!b\x1d^S\xa8\x89\x95\x8e>\xea\xe1s|^?,\xf2\xe6d\xb8\xee)\xd9Ti\xefO\xa2\xdb\xab\xeb\xf1\xe6\xc70W\x89\xdam\xbd\x8ewiS\xc5\x95^G^C\xadM\xbf^K\xdb\xed\xa0\x97K\xe9\x1c\xf2^?\x92k\x92Vk\x89>\xb9l\xff\x80\x97^UXN\xbf\x90[\xe6AH)X\xe99\xce\xb5\xf0>^E'\xb1C^J\xe0\x82\xc1\xffj3u\xe8\xbb\xaeyE#\xb8\xbe\xa7\xa9\xeb\x93{\xa3\x90^Y\xe1,[.Y\xf3^Z\xa8\xa5\x99\x96\xc5sI=\xa5\xf0~\xc1^M\xe2\xc7RK^XF\x80\x1bhX\xdc\xc4P\xcb^P^W^Z\xe2\x8a\xdb'@a
;\xa9\xa0^G"+d\x9f\xa0\xd1j\x993\x83^A\xaa\x80\xfc\xc3\x8f\xf3\xf2\xd1\x96kG\xa8\xf7\xb1\xf4\xe6\xd4\x9d\xc4Y\xbc\xd9\xc1\xaf^D^N\xce^Q\xf6\xd9H^E^?\xe6\xfc\xe6\x8210\x1f\x86yrO\x96s\xffU^R3^V\xa6^UD\xb3^Nt\xed"\x92\xa3``\xd4^Fn\xdb^Lf\xd5\xc2^K1^E\xdf\xa6\xe7\xbc\xb8'=\xa9\xeft\xeb;O1R\x1er\xccC&\x99\xba\x85t\xfa\xc8\xe7^D\xdc5\x1bN at M\x8cFrB2\xe3\x83^So^U\xcf\x9cu\xde9\xe7xV"$Q\^K\xef^U^M\xbd\x99\xd5I^EgS\xfe\xaf\xa3^I\x80P\xad!\x88\x97;\x85\xf1\x95\xed^Y^Im\xd9\x93\x9e4O\xe4Y^S\x88\x88^F\xa8'^U_}\xa1\xcbh.;\xe6\xc7\xac^KSGvF<\xe4i\xe7GN\0rV\xbd\xcf}`\x84\xa5^G\xe6\xa1U\xc6\x91,^Ct\xe0A\x99\x9d^O\xffj\xe8\xf4n\x86^^J\xf1\x91.\xaa\xc0^Y?\x8bV^N\xc1\x8aJPhh\xfa\xbc\xf3\x9e\xd1yX\0\x1f$^Ml(\xe6\xbd^Ji\xd9')
at /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
In http_entity_data(c = '[id=[orig_h=192.168.1.13, orig_p=50402/tcp,
resp_h=209.132.180.131, resp_p=80/tcp], orig=[size=121, state=4,
num_pkts=4, num_bytes_ip=216, flow_label=0], resp=[size=3095, state=4,
num_pkts=4, num_bytes_ip=1963, flow_label=0], start_time=1338087055.218736,
duration=0.27459, service={
}, addl=, hot=0, history=ShACad, uid=cTLeNAfgQo2, dpd=<uninitialized>,
conn=[ts=1338087055.218736, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], proto=tcp,
service=<uninitialized>, duration=<uninitialized>,
orig_bytes=<uninitialized>, resp_bytes=<uninitialized>,
conn_state=<uninitialized>, local_orig=T, missed_bytes=121,
history=<uninitialized>, orig_pkts=<uninitialized>,
orig_ip_bytes=<uninitialized>, resp_pkts=<uninitialized>,
resp_ip_bytes=<uninitialized>], extract_orig=F, extract_resp=F,
dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>,
http=[ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13,
orig_p=50402/tcp, resp_
37 if ( is_orig || ! c?$http ) return;
(Bro [2]) print c
(Bro [3]) print is_orig
--
Chris Green <greencm at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120528/b766e424/attachment.html
More information about the Bro
mailing list