[Bro] Help with bro

Yagyesh Srivastava ysrivas at ncsu.edu
Thu Nov 24 01:44:55 PST 2016 

*so you mean to say that generate_http_request is a definition of
HTTP_request event?*

void BifEvent::generate_http_request(analyzer::Analyzer* analyzer,
Connection* c, StringVal* method, StringVal* original_URI, StringVal*
unescaped_URI, StringVal* version)
{
// Note that it is intentional that here we do not
// check if ::http_request is NULL, which should happen *before*
// BifEvent::generate_http_request is called to avoid unnecessary Val
// allocation.

val_list* vl = new val_list;

vl->append(c->BuildConnVal());
vl->append(method);
vl->append(original_URI);
vl->append(unescaped_URI);
vl->append(version);

mgr.QueueEvent(::http_request, vl, SOURCE_LOCAL, analyzer->GetID(),
timer_mgr, c);
}


*if thats the case, why does it have mgr.QueueEvent, that gets me confused.*
*And the HTTP_request event is raised by:*

void HTTP_Analyzer::HTTP_Request() { ProtocolConfirmation(); const char*
method = (const char*) request_method->AsString()->Bytes(); int method_len =
request_method->AsString()->Len(); if ( strncasecmp(method, "CONNECT",
method_len) == 0 ) connect_request = true; if ( http_request ) { val_list*
vl = new val_list; vl->append(BuildConnVal()); Ref(request_method); vl->
append(request_method); vl->append(TruncateURI(request_URI->AsStringVal()));
vl->append(TruncateURI(unescaped_URI->AsStringVal())); vl->append(new
StringVal(fmt("%.1f", request_version))); // DEBUG_MSG("%.6f
http_request\n", network_time); ConnectionEvent(http_request, vl); } }

I have attached the responses inline to what asked to test:

Here are some ideas for you to test:

- You could be terminating Bro before it recognizes an HTTP connection

When i use bro -Ci eth0 (i.e. the binary ), then i can see all the
http.log, weird.log,conn.log files getting dumped in my current working
directory. They have the correct information. So I dont think this is the
case. Still can't get why Broctl wouldnt give me the logs
- You could have no traffic going to Bro (do you see a conn.log file? Are
we sure about interfaces at this point?)

As mentioned traffic is going to bro, only then i am able to see those logs.
- You may be generating HTTP traffic Bro doesn't recognize.

Doubt This.


Having said the above, what I did as means of a small experiment was to
write a small code to open a file and print a line having function name in
each of the event definitions in events.bif.cc and each of the events in
HTTP.cc, just to get a trace of the function calls, but it just shows me
bro_init as the printed message.
*Again I am confused as to how its able to detect the HTTP packets without
passing through either of these functions?*

Thanks,
Yagyesh



On Thu, Nov 24, 2016 at 3:03 AM, anthony kasza <anthony.kasza at gmail.com>
wrote:

> init_bro is raised as Bro executes and HTTP events are rased as Bro sees
> HTTP connections. Usually the Bro binary needs to begin execution before it
> begins parsing network traffic. Here are some ideas for you to test:
>
> - You could be terminating Bro before it recognizes an HTTP connection
> - You could have no traffic going to Bro (do you see a conn.log file? Are
> we sure about interfaces at this point?)
> - You may be generating HTTP traffic Bro doesn't recognize.
>
> Collect a pcap and attach to this thread. Best case scenario, you found a
> protocol parsing issue and the Bro devs can fix. Worst case scenario, your
> SO distribution need tweaking and you may need to ask another list for
> directions.
>
> -AK
>
> On Nov 23, 2016 11:32 PM, "anthony kasza" <anthony.kasza at gmail.com> wrote:
>
>> Again, I'm adding the bro list for others edification.
>>
>> HTTP.cc is part of "the core". It parses connection streams passed to it,
>> from the analyzer tree, and raises events defined in events.bif. Such
>> events include those around http headers, http requests, http responses,
>> etc. Then, the script "layer" is called based on those events. Such events
>> have handler code in scripts that do things such as logging. I hope this
>> helps.
>>
>> -AK
>>
>> On Nov 23, 2016 9:30 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>>
>>> Hi Anthony,
>>>
>>> I included this question with the bro mailing list also, by any chance
>>> if you know the answers please let me know. Would be great help. I am stuck
>>> on this since a couple of days.
>>> I dont quite understand what you mean by raising an event and defining
>>> an event.
>>>
>>> As i understand the incoming packets are picked by bro and then some
>>> sort of stream(Delivered Stream) is formed (not sure here if you could
>>> please elaborate this)and then go through the process of anaylzer tree
>>> which then figures out based on the signature that a particular packet is
>>> HTTP or not(lets say). Then an HTTP event is generated and if the
>>> corresponding event handler is defined then the event is put in events
>>> queue.
>>> When the event reaches head of line in the queue then it is processed
>>> and the event handler feeds corresponding data structures which will be
>>> used by scripts as well, and the script is notified by the event handler of
>>> the event having occurred.
>>>
>>> so with respect to HTTP what function does HTTP.cc perform here, and
>>> what does events.bif.cc perform?
>>> Present in bro/build/src/analyzer/protocol/http
>>>
>>> It would be great if you can give some idea here.
>>>
>>> I am trying to put some debug logs in each of the functions in
>>> events.bif.cc and HTTP.cc (the debug logs are just opening a file and
>>> printing in that file). But all i can see printed is bro_init. Any idea as
>>> to why?
>>>
>>> Thanks and regards,
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161124/ffb1e023/attachment-0001.html

More information about the Bro mailing list