[Bro] using broccoli to receive events to bro

roi hatam roihat168 at yahoo.com
Wed Jul 23 08:42:51 PDT 2014


Hello,
I need help please.
I'm trying to connect with broccoli and intercept http requests.

this is how my c code looks like:


------------------------------
------------------------------ ----------------
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <broccoli.h>

const char *host_str = "127.0.0.1";
const char *port_str = "47761";
int seqcheck =0;

static void
http_request_c(BroConn
 *conn, void *data, ... /*BroRecord *c, BroString *method, BroString 
*original_URI, BroString *unescaped_URI, BroString *version*/){
    seqcheck++;
    fprintf(stdout, "inside http_request_c");
    fflush(stdout);

    conn = NULL;
    data = NULL;
}

int main(int argc, char **argv)
{

    BroConn *bc;
    char hostname[512];

    bro_init(NULL);
    snprintf(hostname, 512, "%s:%s", host_str, port_str);

    /* Connect to Bro */
    if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE))){
        printf("Could not get Bro connection handle.\n");
        exit(-1);
    }

    bro_conn_set_class(bc, "control");
    if (! bro_conn_connect(bc)){
        printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
        exit(-1);
    }

    for ( ; ; ){ 
        bro_conn_process_input(bc);

        sleep(1);
        fprintf(stdout,"sleep...%d\n", seqcheck);
        fflush(stdout);
    }

    /* Disconnect from Bro and release state. */
    bro_conn_delete(bc);
    return 0;
}



------------------------------ ------------------------------ ----------------



and this is how the communication.log looks like:


------------------------------ ------------------------------ ----------------
1405931366.168104    bro    child    -    -    -    info    selects=13100000 canwrites=0 timeouts=13096722
1405931391.046791    bro    child    -    -    -    info    selects=13200000 canwrites=0 timeouts=13196721
1405931415.866668    bro    child    -    -    -    info    selects=13300000 canwrites=0 timeouts=13296721
1405931418.801334    bro    child    -    -    -    info    [#10014/127.0.0.1:50634] accepted clear connection
1405931418.801869    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] added peer
1405931418.801869    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] peer connected
1405931418.801869    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] phase: version
1405931418.802301   
 bro    parent    -    -    -    info    parent statistics: pending=0 
bytes=121K/315286K chunks=2670/5206 io=1265/2097 bytes/io=0.10K/150.35K 
events=1056/2537 operations=0/0
1405931418.802301    bro    parent    -    -    -    info    child 
statistics: [0] pending=0 bytes=0K/0K chunks=0/0 io=0/0 
bytes/io=-nanK/-nanK
1405931418.802301    bro    script    -    -    -    info    connection established
1405931418.802301    bro    script    -    -    -    info    requesting events matching /^?(Control::.*_request)$?/
1405931418.802301    bro    script    -    -    -    info    accepting state
1405931418.803341    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] peer sent class "control"
1405931418.803341    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] phase: handshake
1405931419.041201    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] peer does not support 64bit PIDs; using compatibility mode
1405931419.041201    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] peer is a Broccoli
1405931419.041201    bro    parent    -    -    -    info    [#10014/127.0.0.1:50634] phase: running

------------------------------ ------------------------------ ----------------


I don't see on my screen anything else than "sleep...0".

I know for sure that the http_request is trigger because I see that in the http.log.



I will be very thankful for any kind of help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140723/148aca60/attachment.html 


More information about the Bro mailing list