[Bro] Broccoli Code Not Working : Not receiving any events
Sherine Davis (Security Engineering)
sherine.davis at flipkart.com
Thu Jun 2 22:42:40 PDT 2016
Broccoli code :
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <errno.h>
#include <string.h>
#include <inttypes.h>
#include <broccoli.h>
#include <unistd.h>
#include <stdbool.h>
#include <string.h>
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
char *host_default = "127.0.0.1";
char *port_default = "64646";
char *host_str;
char *port_str;
// The variables that monitor the rate
float tcp_packet_out = 0;
float tcp_packet_in = 0;
float udp_packet_in = 0;
float udp_packet_out = 0;
uint64 seq;
static void
usage(void)
{
printf("cero_traffic\n");
exit(0);
}
// For every TCP_PACKET event
static void
bro_tcp_packet(BroConn *bc, void *data, BroRecord *conn, int *is_orig,
BroString *flags,int *seq, int *ack, int *len, BroString *payload)
{
printf("1\n\n");
if(is_orig)
{
tcp_packet_in++;
}
else
{
tcp_packet_out++;
}
conn = NULL;
data = NULL;
}
// For every UDP_REQUEST event
static void
bro_udp_request(BroConn *conn, void *data)
{
printf("2\n\n");
udp_packet_in++;
conn = NULL;
data = NULL;
}
// For every UDP_REPLY event
static void
bro_udp_reply(BroConn *conn, void *data)
{
udp_packet_out++;
conn = NULL;
data = NULL;
}
// Main driver function
// Mainly deals with creating and establishing the connection with Bro
int
main(int argc, char **argv)
{
printf("Starting program");
BroConn *bc;
char hostname[512];
int fd = -1;
bro_init(NULL);
host_str = host_default;
port_str = port_default;
printf("Marker1-success");
snprintf(hostname, 512, "%s:%s", host_str, port_str);
if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT)))
{
printf("Could not get Bro connection handle.\n");
exit(-1);
}
bro_event_registry_add(bc, "tcp_packet", (BroEventFunc) bro_tcp_packet,
NULL);
/* bro_event_registry_add(bc, "udp_request", (BroEventFunc)
bro_udp_request, NULL);
bro_event_registry_add(bc, "udp_reply", (BroEventFunc) bro_udp_reply, NULL);
*/
printf("Marker2-success");
if (! bro_conn_connect(bc))
{
printf("Could not connect to Bro at %s:%s.\n", host_str, port_str);
exit(-1);
}
printf("Marker3-success");
for(;;)
{
sleep(1);
printf("in\n");
bro_event_registry_request(bc);
bro_conn_process_input(bc);
// printf("tcp_packet_out : %f tcp_packet_in : %f udp_packet_in : %f
udp_packet_out : %f
\n",tcp_packet_out,tcp_packet_in,udp_packet_in,udp_packet_out);
}
/* Disconnect from Bro and release state. */
bro_conn_delete(bc);
return 0;
}
Bro Code :
@load policy/frameworks/communication/listen
# Let's make sure we use the same port no matter whether we use encryption
or not:
redef Communication::listen_port = 64646/tcp;
# Redef this to T if you want to use SSL.
redef Communication::listen_ssl = F;
# Set the SSL certificates being used to something real if you are using
encryption.
#redef ssl_ca_certificate = "<path>/ca_cert.pem";
#redef ssl_private_key = "<path>/bro.pem";
redef Communication::nodes += {
["cero_traffic"] = [$host = 127.0.0.1, $connect=F, $ssl=F]
};
global ct_log = open_log_file("cero_traffic");
event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count,
ack: count, len: count, payload: string)
{
if(is_orig)
print fmt("TCP PACKET | CONN: %s:%s > %s:%s |FLAG: %s |LEN:
%s",c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p,flags,len);
else
print fmt("TCP PACKET | CONN: %s:%s > %s:%s |FLAG: %s |LEN:
%s",c$id$resp_h,c$id$resp_p,c$id$orig_h,c$id$orig_p,flags,len);
}
#event udp_request(u: connection)
#{
# print fmt("UDP PACKET | CONN: %s:%s >
%s:%s",u$id$orig_h,u$id$orig_p,u$id$resp_h,u$id$resp_p);
#}
#event udp_reply(u: connection)
#{
# print fmt("UDP PACKET | CONN: %s:%s >
%s:%s",u$id$resp_h,u$id$resp_p,u$id$orig_h,u$id$orig_p);
#}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160603/a3e61e15/attachment.html
More information about the Bro
mailing list