[Bro] React based on Bro event (block/unblock connection)

Mohammed Alshaboti alshaboti.it at gmail.com
Fri Nov 16 16:47:47 PST 2018 

Hi Jone,
I modified the code many times, and couldn't reproduce the error.
Simply I modified this
https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro to
add event
https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py

I would like to add rules inside  'connection_established()' event rather
than in netControl::init(), so python script can react based on established
connection_established event.
""
@load base/frameworks/netcontrol
redef exit_only_after_terminate = T;
event NetControl::init()
        {
        local netcontrol_broker =
NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1,
$bport=9977/tcp, $topic="bro/event/ne$
        NetControl::activate(netcontrol_broker, 0);
        }
event NetControl::init_done() &priority=-5
        {
        print "Init done";
        # drop rule goes through to simple-client.py
        NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
        }
event connection_established(c: connection)
    {
   # can't receive this drop in simple-client.py, only it gets
connectionestablished not the drop rule!!
        NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
     }
""
however, I only on python client I get connection_established but not the
drop rule of  NetControl::drop_address

I run it like this:
bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro

python simple-client.py
 │netcontrol-3-ssh-guesser.bro      todo.txt
DEBUG:netcontrol.api:Set up listener for 127.0.0.1:9977
(bro/event/net│netcontrol-9-skeleton.bro         weird.log
control-example)
│netcontrol-9-use-skeleton.bro     x509.log
DEBUG:netcontrol.api:Waiting for broker message...
│netcontrol.log
DEBUG:netcontrol.api:Handling broker status message...
│pi at raspberrypi:~/test_bro $
INFO:netcontrol.api:Incoming connection established                   │rm
*.log
<ResponseType.ConnectionEstablished: 1>

Thank you,
Mohammed



The python program crash or give me communication established

On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek <jsiwek at corelight.com> wrote:

> On Wed, Nov 14, 2018 at 11:38 PM Mohammed Alshaboti
> <alshaboti.it at gmail.com> wrote:
>
> > I would like to send Bro data (e.g. connection) to a backend python
> program on some events.
> > I tried to use the netcontrol broker to communicate with an external
> > python client like (
> https://github.com/bro/bro-netcontrol/tree/master/test
> > ).
> > But when I added event it crashed.
>
> Can you provide more info?  e.g. exact code that you're trying.  Was
> it bro or the python program that crashed?  Any other relevant output
> or error messages?
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181117/e0d16b35/attachment.html

More information about the Bro mailing list