[Bro] using broccoli to send events to bro

Mike Sconzo sconzo at visiblerisk.com
Mon Sep 23 18:20:09 PDT 2013 

I've got a .bro file that looks like:

module A;
global f: file = open("wtf.txt");
redef Communication::nodes += {
        ["test"] = [$host = 127.0.0.1, $events = /test1/],
};
event test1(a: string)
    {
    print f, "got here";
    }

and a python script that looks like:
#! /usr/bin/python

from broccoli import *

bc = Connection("127.0.0.1:47761")
bc.send("test1", "aaaaaaaaaaaaaaaa")
bc.processInput();
print "done"

I get the following log messages:
1379985413.067179       manager child   -       -       -       info
 [#10005/127.0.0.1:34609] accepted clear connection
1379985413.068412       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] added peer
1379985413.068412       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] peer connected
1379985413.068412       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] phase: version
1379985413.068412       manager script  -       -       -       info
 connection established
1379985413.068412       manager script  -       -       -       info
 requesting events matching /^?(test1)$?/
1379985413.068412       manager script  -       -       -       info
 accepting state
1379985413.069943       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] phase: handshake
1379985413.270825       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] peer does not support 64bit PIDs; using
compatibility mode
1379985413.270825       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] peer is a Broccoli
1379985413.270825       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] phase: running
1379985413.270825       manager script  -       -       -       info
 connection closed
1379985413.272093       manager parent  -       -       -       info
 [#10005/127.0.0.1:34609] peer disconnected
1379985413.273243       manager child   -       -       -       info
 [#10005/127.0.0.1:34609] connection closed
1379985413.851595       worker-1        child   -       -       -
 info    selects=3100000 canwrites=0 timeouts=3098508
1379985416.921436       manager child   -       -       -       info
 selects=3200000 canwrites=0 timeouts=3198460
1379985411.837037       proxy-1 child   -       -       -       info
 selects=3100000 canwrites=0 timeouts=30999

But nothing gets persisted to the "wtf.txt" file. I'm sure (I hope)
I'm missing something super easy. Any ideas?

Thanks!

-- 
cat ~/.bash_history > documentation.txt

More information about the Bro mailing list