[Bro] Implementing broping.c in broscript
James Hook
jamesfhook at gmail.com
Thu Oct 10 09:59:05 PDT 2013
Hi Seth,
Sorry to keep pestering you, i'm still having trouble getting this to work.
I have wireshark'd it and can see the connection being made, but when
comparing it with a wireshark of the compiled c code, i'm missing the
initial ping event going across the connection.
The C code:
- uses bro_conn_new_str to get a new connection handle
- uses bro_event_registry_add to add the "pong" event to this connection
- uses bro_conn_connect to establish the connection
Would i be right in thinking that all you need to do in bro script is add
the following entry to the Communication::nodes table?
redef Communication::nodes += {
["broping2"] = [$host = 127.0.0.1, $p = 47758/tcp, $events = /pong/,
$connect=T, $ssl=F]
};
I have tried both ping and pong (and both) in this entry without any luck -
the C code sends ping events down to the bro instance and is listening for
pong events coming back.
The c code sends the ping event using "bro_event_send( connection, event);"
on line 442 of broping.c.
Again, sorry for my lack of understanding here - hope you can help :-)
James
On 10 October 2013 13:16, Seth Hall <seth at icir.org> wrote:
>
> On Oct 10, 2013, at 5:11 AM, James Hook <jamesfhook at gmail.com> wrote:
>
> > redef Communication::nodes += {
> > ["broping2"] = [$host = 127.0.0.1, $p = 47758/tcp, $events = /pong/,
> $connect=T, $ssl=F]
>
> You need to subscribe to the ping event, not the pong event.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131010/5c54a103/attachment.html
More information about the Bro
mailing list