[Bro] broccoli not processing events
James Feister
openjaf at gmail.com
Mon Dec 8 10:55:21 PST 2014
On Mon, Dec 8, 2014 at 11:56 AM, Siwek, Jon <jsiwek at illinois.edu> wrote:
>
> > On Dec 7, 2014, at 11:02 AM, James Feister <openjaf at gmail.com> wrote:
> >
> > I am creating an application based on the broccoli test/broconn source.
> It seems when running the broconn example and the application I am writing
> using bro versions 2.0 and 2.1, I can subscribe to "new_connection" events
> and process them in a callback; everything is great. But when using bro
> version 2.3 there is no processing of the events sending them to the
> callback. This goes for the broconn example and my app.
>
> The “connection” record in Bro has evolved over time to include data types
> that Broccoli clients can no longer process (I think it’s “opaque” types
> that are now problematic, but may be misremembering). Broccoli silently
> (unless debug output is turned out) fails to invoke callbacks for events
> that use those data types.
>
> As a general suggestion, try writing custom Bro events to pick and choose
> particular things to send to Broccoli clients. E.g.:
>
> global my_custom_new_connection: event(cid: conn_id);
>
> event new_connection(c: connection)
> {
> event my_custom_new_connection(c$id);
> }
>
> Then have the Broccoli client register a callback for
> “my_custom_new_connection” instead of “new_connection”.
>
> I think this should workaround the bug in Broccoli as well as be more
> efficient (unless the Broccoli client actually intended to make use of
> every last bit of data in the connection record). Also, the new library
> being developed to replace Broccoli/Bro communication, called Broker, is
> planned to require being explicit about the content of remotely
> communicated messages. So writing code in this way should make it easier
> to adapt to the new library when available.
>
> - Jon
Thank you, I will go that path with my development.
- Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141208/1fd6414c/attachment.html
More information about the Bro
mailing list