[Bro] Getting 'standard' Bro events into Python

Johanna Amann johanna at icir.org
Wed Apr 5 09:42:06 PDT 2017 

Hi Brian,

you are right that Broker is the new communication library; please note
that the API is not quite finished yet and that you will have to adjust
your code when the next Bro version is release.

Note that, for both broker and broccoli, you will not just be able to
receive connection (or other) events; instead you will have to handle them
in a bro event where you can re-throw them (...under a different name, to
not cause issues with other scripts).

If you subscribe to that new event using broker, you should be able to
receive data.

The best example for using broker to communicate with Bro, that currently
exists, are probably the netcontrol adapters; an easy example is available
at https://github.com/bro/bro-netcontrol/tree/master/test

I hope this helps,
 Johanna

On Fri, Mar 24, 2017 at 11:54:52AM -0600, Brian Wylie wrote:
> Okay, after a bit more hunting I see the new Broker communications docs.
> - https://www.bro.org/sphinx/components/broker/README.html
> - https://www.bro.org/sphinx/components/broker/broker-manual.html
> 
> I see that you can wrap the broker API with SWIG, so this is all good new.
> 
> Anyway happen to have/make/point me to a small example python script that
> maybe subscribes to all connection events (events that go into conn.long)?
> 
> Thanks a bunch,
> -Brian Wyli
> 
> On Thu, Mar 23, 2017 at 1:40 PM, Brian Wylie <briford.wylie at gmail.com>
> wrote:
> 
> > Hi All,
> >
> > I'm fairly new to Bro and I have a question very similar to this one '
> > http://mailman.icsi.berkeley.edu/pipermail/bro/2017-January/011389.html'.
> >
> > Basically I want the easiest/best path to get standard Bro events (conn,
> > http, dns, ssl, weird..etc) into Python.
> >
> > 1) Is broctl / python-broccoli the best path?
> >        - Note: in my testing I had to use broctl> start .  in order for my
> > python Connection() to work
> >        - If this isn't necessary and I can do the same with just running
> > Bro standalone pls let me know
> >
> > 2) If broctl/python-broccoli IS the best path then how do I 'subscribe' to
> > the standard events?
> >       - Is there a list of the standard events?
> >       - If so do I just @event with a method that has the same name as the
> > event?
> >
> > Sorry if these are naive questions, but so far my googling/trying/testing
> > has been a bit hit-miss :)
> >
> > Cheers,
> > -Brian Wylie
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list