[Bro] React based on Bro event (block/unblock connection)

Azoff, Justin S jazoff at illinois.edu
Fri Nov 16 18:39:49 PST 2018 

You may be running into a common race condition where the pcap file is read before the netcontrol broker connection is initialized.  There are 2 ways of going about testing this differently.  The first way would be to run bro on live traffic by using -i eth0 instead of reading a pcap file.  I would also change


NetControl::drop_address(1.1.2.2, 15sec, "Hi there");

to

NetControl::drop_address(c$id$resp_h, 15sec, "Hi there");

so that for each connection bro sees it will try to drop a different address and not just 1.1.2.2 each time.  I believe netcontrol tracks drops internally so by dropping the same 1.1.2.2 each time you would only see one broker message every 15 seconds instead of each time.


If you need to test using a pcap file you should be able to use the method that is used in the test suite: https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/netcontrol/broker.bro

Essentially you would add a

event bro_init()
{
suspend_processing();
}

so that bro pauses processing of the pcap traffic as soon as it starts.  Then, inside NetControl::init_done you would call continue_processing().  This way the pcap is only analyzed after netcontrol is fully initialized.



________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Mohammed Alshaboti <alshaboti.it at gmail.com>
Sent: Friday, November 16, 2018 7:47:47 PM
To: jsiwek at corelight.com
Cc: Bro at bro.org
Subject: Re: [Bro] React based on Bro event (block/unblock connection)

Hi Jone,
I modified the code many times, and couldn't reproduce the error.
Simply I modified this https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_blob_master_test_simple-2Dtest.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=RuJ6dVV1LvAnLJF7Gr8UIV295b5v5ZG5q0BlWhyyROM&e=> to add event
https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_blob_master_test_simple-2Dclient.py&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=-G5dZDne3LT8FSfKkRWuWYrkhfhGhZFOkul383f6vzA&e=>

I would like to add rules inside  'connection_established()' event rather than in netControl::init(), so python script can react based on established connection_established event.
""
@load base/frameworks/netcontrol
redef exit_only_after_terminate = T;
event NetControl::init()
        {
        local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=9977/tcp, $topic="bro/event/ne$
        NetControl::activate(netcontrol_broker, 0);
        }
event NetControl::init_done() &priority=-5
        {
        print "Init done";
        # drop rule goes through to simple-client.py
        NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
        }
event connection_established(c: connection)
    {
   # can't receive this drop in simple-client.py, only it gets connectionestablished not the drop rule!!
        NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
     }
""
however, I only on python client I get connection_established but not the drop rule of  NetControl::drop_address

I run it like this:
bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro

python simple-client.py                                               │netcontrol-3-ssh-guesser.bro      todo.txt
DEBUG:netcontrol.api:Set up listener for 127.0.0.1:9977<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A9977&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=kRhaqblI7XVAaKhbJO8R3yisk_ipC8x0w85INov1PiY&e=> (bro/event/net│netcontrol-9-skeleton.bro         weird.log
control-example)                                                      │netcontrol-9-use-skeleton.bro     x509.log
DEBUG:netcontrol.api:Waiting for broker message...                    │netcontrol.log
DEBUG:netcontrol.api:Handling broker status message...                │pi at raspberrypi:~/test_bro $
INFO:netcontrol.api:Incoming connection established                   │rm *.log
<ResponseType.ConnectionEstablished: 1>

Thank you,
Mohammed



The python program crash or give me communication established

On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek <jsiwek at corelight.com<mailto:jsiwek at corelight.com>> wrote:
On Wed, Nov 14, 2018 at 11:38 PM Mohammed Alshaboti
<alshaboti.it at gmail.com<mailto:alshaboti.it at gmail.com>> wrote:

> I would like to send Bro data (e.g. connection) to a backend python program on some events.
> I tried to use the netcontrol broker to communicate with an external
> python client like (https://github.com/bro/bro-netcontrol/tree/master/test<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_tree_master_test&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=9uwugavHogTI8cWBQ6wifv6D9d9yC0D5bN2vuZWYg8E&e=>
> ).
> But when I added event it crashed.

Can you provide more info?  e.g. exact code that you're trying.  Was
it bro or the python program that crashed?  Any other relevant output
or error messages?

- Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181117/0e71412e/attachment-0001.html

More information about the Bro mailing list