[Bro] using broccoli to receive events to bro
roi hatam
roihat168 at yahoo.com
Wed Jul 23 08:42:51 PDT 2014
Hello,
I need help please.
I'm trying to connect with broccoli and intercept http requests.
this is how my c code looks like:
------------------------------
------------------------------ ----------------
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <broccoli.h>
const char *host_str = "127.0.0.1";
const char *port_str = "47761";
int seqcheck =0;
static void
http_request_c(BroConn
*conn, void *data, ... /*BroRecord *c, BroString *method, BroString
*original_URI, BroString *unescaped_URI, BroString *version*/){
seqcheck++;
fprintf(stdout, "inside http_request_c");
fflush(stdout);
conn = NULL;
data = NULL;
}
int main(int argc, char **argv)
{
BroConn *bc;
char hostname[512];
bro_init(NULL);
snprintf(hostname, 512, "%s:%s", host_str, port_str);
/* Connect to Bro */
if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT | BRO_CFLAG_ALWAYS_QUEUE))){
printf("Could not get Bro connection handle.\n");
exit(-1);
}
bro_conn_set_class(bc, "control");
if (! bro_conn_connect(bc)){
printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
exit(-1);
}
for ( ; ; ){
bro_conn_process_input(bc);
sleep(1);
fprintf(stdout,"sleep...%d\n", seqcheck);
fflush(stdout);
}
/* Disconnect from Bro and release state. */
bro_conn_delete(bc);
return 0;
}
------------------------------ ------------------------------ ----------------
and this is how the communication.log looks like:
------------------------------ ------------------------------ ----------------
1405931366.168104 bro child - - - info selects=13100000 canwrites=0 timeouts=13096722
1405931391.046791 bro child - - - info selects=13200000 canwrites=0 timeouts=13196721
1405931415.866668 bro child - - - info selects=13300000 canwrites=0 timeouts=13296721
1405931418.801334 bro child - - - info [#10014/127.0.0.1:50634] accepted clear connection
1405931418.801869 bro parent - - - info [#10014/127.0.0.1:50634] added peer
1405931418.801869 bro parent - - - info [#10014/127.0.0.1:50634] peer connected
1405931418.801869 bro parent - - - info [#10014/127.0.0.1:50634] phase: version
1405931418.802301
bro parent - - - info parent statistics: pending=0
bytes=121K/315286K chunks=2670/5206 io=1265/2097 bytes/io=0.10K/150.35K
events=1056/2537 operations=0/0
1405931418.802301 bro parent - - - info child
statistics: [0] pending=0 bytes=0K/0K chunks=0/0 io=0/0
bytes/io=-nanK/-nanK
1405931418.802301 bro script - - - info connection established
1405931418.802301 bro script - - - info requesting events matching /^?(Control::.*_request)$?/
1405931418.802301 bro script - - - info accepting state
1405931418.803341 bro parent - - - info [#10014/127.0.0.1:50634] peer sent class "control"
1405931418.803341 bro parent - - - info [#10014/127.0.0.1:50634] phase: handshake
1405931419.041201 bro parent - - - info [#10014/127.0.0.1:50634] peer does not support 64bit PIDs; using compatibility mode
1405931419.041201 bro parent - - - info [#10014/127.0.0.1:50634] peer is a Broccoli
1405931419.041201 bro parent - - - info [#10014/127.0.0.1:50634] phase: running
------------------------------ ------------------------------ ----------------
I don't see on my screen anything else than "sleep...0".
I know for sure that the http_request is trigger because I see that in the http.log.
I will be very thankful for any kind of help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140723/148aca60/attachment.html
More information about the Bro
mailing list