[Bro] Plugin doesn't seem te get instantiated
Bas Vermeulen
basvermeulen80 at yahoo.com
Sun Aug 23 08:40:01 PDT 2015
Hi,
In order to find the reason that my plugin isn't doing anything, I have recompiled with --enable-debug and I run with bro -B plugins. The debug.log now contains
0.000000/1440343663.376984 [plugins] Found plugin mynamespace::myplugin in /usr/local/bro/lib/bro/plugins/mynamespace_myplugin
0.000000/1440343663.383816 [plugins] Activating plugin mynamespace::myplugin
0.000000/1440343663.383855 [plugins] Adding /usr/local/bro/lib/bro/plugins/mynamespace_myplugin/scripts to BROPATH
0.000000/1440343663.383892 [plugins] Loading /usr/local/bro/lib/bro/plugins/mynamespace_myplugin/scripts/__preload__.bro
0.000000/1440343663.383908 [plugins] Loading /usr/local/bro/lib/bro/plugins/mynamespace_myplugin/lib/bif/__load__.bro
0.000000/1440343663.383921 [plugins] Loading /usr/local/bro/lib/bro/plugins/mynamespace_myplugin/scripts/__load__.bro
0.000000/1440343663.383932 [plugins] Searching for shared libraries /usr/local/bro/lib/bro/plugins/mynamespace_myplugin//lib/*.linux-x86_64.so
0.000000/1440343663.384400 [plugins] Registering component PluginAnalyzer (tag 68/0)
0.000000/1440343663.384527 [plugins] Loaded /usr/local/bro/lib/bro/plugins/mynamespace_myplugin//lib/mynamespace-myplugin.linux-x86_64.so
I also added the Available() function to Plugin.h.
Is this all that is required? The plugin still doesn't do anything... Any hints? Or does anyone have an example non-built-in plugin that work on all connections regardless of ports and signatures?
Best regards,Bas
On Friday, August 21, 2015 9:31 PM, Bas Vermeulen <basvermeulen80 at yahoo.com> wrote:
Hi all,
I want to create my own bro plugin but I'm stuck in the playing-around phase. Below is my current code and information about my system. I know packet counts are available in the normal logs, this is just my hello world for bro. The problem is that while bro seems to recognize that there is a plugin, it doesn't seem to instantiate the analyzer when is is processing a pcap. I've tried to activate it using the environment variables, the Available function and the EnableHook. I need to process all connections so I can't use port numbers or signatures.
The only output the plugin creates is 'hello world!' from the plugin.cc If the Analyzer gets instantiated, I would expect more output.
Could someone please help me?
Bas
Plugin.cc:
----------
#include "plugin/Plugin.h"
#include "plugin/Manager.h"
#include "PluginAnalyzer.h"
namespace plugin {
namespace mynamespace_myplugin {
class Plugin : public plugin::Plugin {
public:
plugin::Configuration Configure()
{
AddComponent(new ::analyzer::Component("PluginAnalyzer", ::analyzer::mynamespace_myplugin::PluginAnalyzer::Instantiate));
plugin::Configuration config;
config.name = "mynamespace::myplugin";
config.description = "Test_plugin";
config.version.major = 0;
config.version.minor = 2;
cout << "hello world!\n";
// Attempt to enable the plugin, this doesn't seem to
// do anything
EnableHook(HOOK_SETUP_ANALYZER_TREE, 1);
return config; ;
}
} plugin;
}
}
PluginAnalyzer.h
-----------------
#ifndef PLUGINPROTOCOL_H
#define PLUGINPROTOCOL_H
//#include "analyzer/Analyzer.h"
#include "analyzer/protocol/tcp/TCP.h"
namespace analyzer { namespace mynamespace_myplugin {
//class PluginAnalyzer : public analyzer::Analyzer {
class PluginAnalyzer : public tcp::TCP_ApplicationAnalyzer {
public:
PluginAnalyzer(Connection* c);
virtual ~PluginAnalyzer();
virtual void Init();
virtual void Done();
// from Analyzer.h
virtual void UpdateConnVal(RecordVal *conn_val);
virtual void FlipRoles();
static bool Available()
{
cout << "availability checked\n";
return true;
}
static analyzer::Analyzer* Instantiate(Connection* conn)
{ cout << "instantiate\n"; return new PluginAnalyzer(conn); }
virtual void DeliverStream(int len, const u_char* data, bool orig);
protected:
uint64_t total_packets;
};
} } // namespace analyzer::*
#endif
PluginAnalyer.cc
----------------
#include "PluginAnalyzer.h"
#include "analyzer/protocol/tcp/TCP.h"
using namespace analyzer::mynamespace_myplugin;
PluginAnalyzer::PluginAnalyzer(Connection* c)
: tcp::TCP_ApplicationAnalyzer("MyPluginAnalyzer", c)
{
cout << "pluginanalyzer constructor\n " ;
}
PluginAnalyzer::~PluginAnalyzer()
{
}
void PluginAnalyzer::Init()
{
cout << "init \n";
Analyzer::Init();
total_packets = 0;
}
void PluginAnalyzer::Done()
{
Analyzer::Done();
}
void PluginAnalyzer::DeliverStream(int length, const u_char* data, bool orig)
{
tcp::TCP_ApplicationAnalyzer::DeliverStream(length, data, orig);
cout << "deliverStream \n";
total_packets++;
}
void PluginAnalyzer::UpdateConnVal(RecordVal *conn_val)
{
cout << "UpdateConnVal begin\n";
int totalidx = conn_val->Type()->AsRecordType()->FieldOffset("total_packets");
if ( totalidx < 0 )
reporter->InternalError("missing total packets field");
conn_val->Assign(totalidx, new Val(total_packets, TYPE_COUNT));
Analyzer::UpdateConnVal(conn_val);
cout << "UpdateConnVal end\n";
}
void PluginAnalyzer::FlipRoles()
{
}
This is what I have done...
$ make
< no error messages >
$ sudo make install
< no error messages >
$ export BRO_PLUGIN_PATH=~/plugin
$ export BRO_PLUGIN_ACTIVATE=mynamespace::myplugin
$ bro -N
hello world!
mynamespace::myplugin - Test_plugin (dynamic, version 0.2)
Bro::ARP - ARP Parsing (built-in)
Bro::AsciiReader - ASCII input reader (built-in)
.....
$ rm *.log
$ bro -C -r test.pcap
hello world!
$ ls *.log
conn.log packet_filter.log ssh.log
This is info about my system and installation...
$ bro -v
bro version 2.4-84
$ uname -srvpio
Linux 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 GNU/Linux
When I installed from source I used:
./configure --disable-broker
make
sudo make install
The plugin was originally create with the init-plugin tool
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150823/b791d22f/attachment.html
More information about the Bro
mailing list