[Bro] Help with bro

anthony kasza anthony.kasza at gmail.com
Thu Nov 24 00:03:47 PST 2016


init_bro is raised as Bro executes and HTTP events are rased as Bro sees
HTTP connections. Usually the Bro binary needs to begin execution before it
begins parsing network traffic. Here are some ideas for you to test:

- You could be terminating Bro before it recognizes an HTTP connection
- You could have no traffic going to Bro (do you see a conn.log file? Are
we sure about interfaces at this point?)
- You may be generating HTTP traffic Bro doesn't recognize.

Collect a pcap and attach to this thread. Best case scenario, you found a
protocol parsing issue and the Bro devs can fix. Worst case scenario, your
SO distribution need tweaking and you may need to ask another list for
directions.

-AK

On Nov 23, 2016 11:32 PM, "anthony kasza" <anthony.kasza at gmail.com> wrote:

> Again, I'm adding the bro list for others edification.
>
> HTTP.cc is part of "the core". It parses connection streams passed to it,
> from the analyzer tree, and raises events defined in events.bif. Such
> events include those around http headers, http requests, http responses,
> etc. Then, the script "layer" is called based on those events. Such events
> have handler code in scripts that do things such as logging. I hope this
> helps.
>
> -AK
>
> On Nov 23, 2016 9:30 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>
>> Hi Anthony,
>>
>> I included this question with the bro mailing list also, by any chance if
>> you know the answers please let me know. Would be great help. I am stuck on
>> this since a couple of days.
>> I dont quite understand what you mean by raising an event and defining an
>> event.
>>
>> As i understand the incoming packets are picked by bro and then some sort
>> of stream(Delivered Stream) is formed (not sure here if you could please
>> elaborate this)and then go through the process of anaylzer tree which then
>> figures out based on the signature that a particular packet is HTTP or
>> not(lets say). Then an HTTP event is generated and if the corresponding
>> event handler is defined then the event is put in events queue.
>> When the event reaches head of line in the queue then it is processed and
>> the event handler feeds corresponding data structures which will be used by
>> scripts as well, and the script is notified by the event handler of the
>> event having occurred.
>>
>> so with respect to HTTP what function does HTTP.cc perform here, and what
>> does events.bif.cc perform?
>> Present in bro/build/src/analyzer/protocol/http
>>
>> It would be great if you can give some idea here.
>>
>> I am trying to put some debug logs in each of the functions in
>> events.bif.cc and HTTP.cc (the debug logs are just opening a file and
>> printing in that file). But all i can see printed is bro_init. Any idea as
>> to why?
>>
>> Thanks and regards,
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161124/bdcd5c25/attachment.html 


More information about the Bro mailing list