[Bro] icmp events (custom and original) not firing?

Siwek, Jon jsiwek at illinois.edu
Tue Mar 3 09:04:11 PST 2015


> On Mar 2, 2015, at 5:16 PM, Scott Wells <swells at cyberadapt.com> wrote:
>  
> However:
> 1) There is only one ‘event icmp*’ function block, and that’s in /bro/share/bro/policy/misc/detect-traceroute/main.bro for ‘icmp_time_exceeded’. This has an associated  ‘event icmp_time_exceeded’ (line 98). I add my ‘icmp_time_exceeded_test(c$id, icmp, code, context)’ line in that function and register it with another bro_event_registry_add_compact line in my C code, but the event (original and my _test version) never fires.  I’m not sure I’m using the correct ‘event icmp’ since the detect-traceroute comments say it’s for a Time Exceeded threshold, and I’m more interested in capturing ANY Time exceeded event.
> 2) Given 1), I cannot find a ‘main.bro’ file with ‘event icmp_packet_too_big’, and so that event (original and _test version) never fires, either.

Are you sure that policy/misc/detect-traceroute/main.bro is loaded ?  E.g. if you’re running from command line it won’t be loaded by default, you’d need something like:

bro -r icmp.pcap misc/detect-traceroute/main.bro

This is sort of a detour from the specific problem, but rather than modifying existing scripts, I’d suggest defining your own event handlers for the ones you need.  I’d try to get something simple working from the command-line first.  E.g. create a file called “test.bro” containing:

event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
	{
	print "icmp_time_exceeded", c$id, icmp, code, context;
	}

Then run:

bro -r icmp.pcap ./test.bro

If you see output, then it works and you can modify the handler however you need.  If not, then there’s something specific about the pcap you’re using that I’d probably need to see in order to tell what’s wrong, but sometimes weird.log might have hints as to what’s wrong.

- Jon



More information about the Bro mailing list