[Bro] Some events not received by broccoli

Björn Samvik Bjorn.Samvik at netclean.com
Wed Dec 4 04:06:27 PST 2013 

Hello

I have tested your patch and it works perfectly.

Thanks for the information and the patch.

/Björn



(DoNotAddDisclaimer)
________________________________________
From: Siwek, Jonathan Luke <jsiwek at illinois.edu>
Sent: Tuesday, December 03, 2013 18:54
To: Björn Samvik
Cc: bro at bro.org
Subject: Re: [Bro] Some events not received by broccoli

On Nov 22, 2013, at 9:04 AM, Björn Samvik <Bjorn.Samvik at netclean.com> wrote:

> Hello,
>
> I'm using broccoli to receive bro (2.2-5) events and are having some problems. Consider the following.
>
> The broccoli client is listening to 2 events.
> bro_event_registry_add(m_bc, "file_new", (BroEventFunc)&Broccoli::newFile, this);
> bro_event_registry_add(m_bc, "test_event", (BroEventFunc)&Broccoli::newFile, this);
>
> The following bro script is used.
>
> ...
> global test_event: event(f: fa_file);
> event file_new(f: fa_file)
> {
>     event test_event(f);
> }
>
> The file_new event is correctly received by my broccoli client however the test_event is not received. If I change the content of the test_event to something else it works.
>
> ...
> global test_event: event(f: string);
> event file_new(f: fa_file)
> {
>     event test_event(f$mime_type);
> }
>
> So, is this expected and in that case why and what is the proposed way of solving the issue?
>
> (Also noticed that the file_state_removed(f: fa_file) event is not received by the broccoli client.)

It’s somewhat of a bug in broccoli: it doesn't support receiving events that have arguments containing vector values and silently discards those that do.  The reason why file_new is received, but not test_event/file_state_removed is because the fa_file record argument starts off with some optional vector fields that aren’t initialized and they later become populated by some Bro scripts before test_event/file_state_removed make it through the event queue.

I’ve patched broccoli [1] to be able to receive vectors, which should fix your problem if you want to try it.  Otherwise, the workaround is to send the broccoli client simpler data types (Bro connection/fa_file/*::Info records can get complicated), perhaps picking out just pieces you need.

- Jon

[1] https://bro-tracker.atlassian.net/browse/BIT-1100

More information about the Bro mailing list