[Bro] help required in logs with bro

Yagyesh Srivastava ysrivas at ncsu.edu
Wed Nov 23 15:26:04 PST 2016 

Sure, I am sorry,  I dont quite understand what you mean by raising an
event and defining an event.

As i understand the incoming packets are picked by bro and then some sort
of stream(Delivered Stream) is formed (not sure here)and then go through
the process of anaylzer tree which then figures out based on the signature
that a particular packet is HTTP or not(lets say). Then an HTTP event is
generated and if the corresponding event handler is defined then the event
is put in events queue.
When the event reaches head of line in the queue then it is processed and
the event handler feeds corresponding data structures which will be used by
scripts as well, and the script is notified by the event handler of the
event having occurred.

so with respect to HTTP what function does HTTP.cc perform here, and what
does events.bif.cc perform?

It would be great if you can give some idea here.

I am trying to put some debug logs in each of the functions in events.bif.cc
and HTTP.cc (the debug logs are just opening a file and printing in that
file). But all i can see printed is bro_init. Any idea as to why?

Thanks and regards,


On Wed, Nov 23, 2016 at 5:32 PM, anthony kasza <anthony.kasza at gmail.com>
wrote:

> HTTP.cc raises events. Events.bif defines events. If you have more
> questions please include the mailing list.
>
> -AK
>
> On Nov 23, 2016 3:30 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>
>> One more quick question Anthony, i did follow your blog but i couldnt
>> understand whats the difference between the code present in
>> bro/build/src/analyzer/protocol/http and just
>> bro/src/analyzer/protocol/http, one has HTTP.cc file the other has
>> events.bif.cc file Both seem to be generating events, but i dont
>> understand the context.
>> Like when will functions in events.bif.cc file be called and when will
>> the HTTP.cc functions be called.
>> Could you please explain briefly?
>>
>> On Wed, Nov 23, 2016 at 5:25 PM, Yagyesh Srivastava <ysrivas at ncsu.edu>
>> wrote:
>>
>>> If you run 'bro -Ci eth0' and browse a webserver over eth0, bro should
>>> spit out logs in your current working directory. If not, Bro is either not
>>> seeing packets or something else is wrong.
>>> *I am getting this correctly.*
>>>
>>> Is there a reason why broctl would not work in this case(when bro binary
>>> is)?
>>> Also just to make sure, broctl will always send logs in
>>> /nsm/bro/logs/current right?
>>>
>>> On Wed, Nov 23, 2016 at 5:22 PM, anthony kasza <anthony.kasza at gmail.com>
>>> wrote:
>>>
>>>> Try writing a trace file to disk with tcpdump and reading it with Bro
>>>> using the -r option.
>>>>
>>>> On Nov 23, 2016 3:11 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>>>>
>>>>> also anthony,
>>>>> I did try tcpdump:
>>>>> yagyesh at yagyesh-virtual-machine:/nsm/bro/share/bro/base/protocols/http$
>>>>> sudo tcpdump -nS
>>>>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>>>>> decode
>>>>> listening on eth0, link-type EN10MB (Ethernet), capture size 262144
>>>>> bytes
>>>>> 17:03:30.300262 IP 192.168.170.135.45554 > 31.13.69.228.443: Flags
>>>>> [P.], seq 1936267894:1936268148, ack 2692707210, win 64240, length 254
>>>>> 17:03:30.300484 IP 31.13.69.228.443 > 192.168.170.135.45554: Flags
>>>>> [.], ack 1936268148, win 64240, length 0
>>>>>
>>>>>
>>>>> it is showing me the movement of packets.
>>>>>
>>>>> When i am doing a curl to localhost, then i am changing the node.cfg
>>>>> file so as to reflect interface=lo and not eth0.
>>>>> Thats the only change that we need if we need to monitor loopback port
>>>>> with bro instead of eth0?
>>>>>
>>>>> Also someone suggested that the interface might not be in monitor
>>>>> mode, had this been the case would i have received the tcpdump like
>>>>> mentioned above?
>>>>>
>>>>> On Wed, Nov 23, 2016 at 5:01 PM, Yagyesh Srivastava <ysrivas at ncsu.edu>
>>>>> wrote:
>>>>>
>>>>>> By bro binary you mean " bro -i eth0" command?
>>>>>> I can see that when I give this command it's listening on eth0
>>>>>> interface. It initially gave me a warning saying due to NIC checksum it is
>>>>>> receiving bad checksum packets so it will discard it.
>>>>>> So I ran the above command with -C option.
>>>>>> Is this what you were referring to?
>>>>>> Could you please help me understand what's the difference between
>>>>>> this command and broctl?
>>>>>>
>>>>>> Thanks and regards
>>>>>>
>>>>>> On Nov 23, 2016 4:54 PM, "anthony kasza" <anthony.kasza at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Your VM may be using its loopback address for the connection to the
>>>>>>> local Apache server. If Bro is listening on eth0 (not the loopback
>>>>>>> interface) it won't see that traffic.
>>>>>>>
>>>>>>> As for the curl'ing of external sites, have you tried something
>>>>>>> basic like tcpdump just to make sure packets are moving? I'd also try
>>>>>>> running the Bro binary, without broctl, on an interface just to make sure
>>>>>>> Bro is compiled, happy, and seeing packets move.
>>>>>>>
>>>>>>> -AK
>>>>>>>
>>>>>>> On Nov 23, 2016 1:33 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I have downloaded bro and built it on a VM, using configure, make
>>>>>>>> and make install.
>>>>>>>> Then i ran broctl install and deploy.
>>>>>>>> when i run broctl using "sudo broctl start" and subsequently issue
>>>>>>>> "sudo broctl status", it shows bro running as standalone on localhost.
>>>>>>>>
>>>>>>>> my /nsm/bro/etc/nod.cfg file has
>>>>>>>> type = standalone
>>>>>>>> host = localhost
>>>>>>>> interface = eth0
>>>>>>>>
>>>>>>>> Now when i try to connect to internet using my vm browser
>>>>>>>> or i curl to localhost (which has apache server running and after
>>>>>>>> making node.cfg file to hear on interface loopback) in either of the cases
>>>>>>>> i cannot see any logs getting generated.
>>>>>>>>
>>>>>>>>
>>>>>>>> *can someone please help me with this issue?*I dont think bro is
>>>>>>>> sniffing on the correct interface , there is something trivial i am
>>>>>>>> guessing which is going wrong. Please provide any pointers if possible.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Yagyesh
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Bro mailing list
>>>>>>>> bro at bro-ids.org
>>>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>>>>
>>>>>>>
>>>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161123/98371a1d/attachment-0001.html

More information about the Bro mailing list