[Bro] Bro Digest, Vol 151, Issue 16

Sun Nov 18 12:59:23 PST 2018

Thanks Jon
It works when I use it with an online data ( -i eth0), as you said it seems
to be race condition.

Thanks

On Sat, Nov 17, 2018 at 3:40 PM <bro-request at bro.org> wrote:

> Send Bro mailing list submissions to
>         bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
>
> You can reach the person managing the list at
>         bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
>    1. Re: React based on Bro event (block/unblock connection)
>       (Mohammed Alshaboti)
>    2. Re: React based on Bro event (block/unblock connection)
>       (Azoff, Justin S)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 17 Nov 2018 13:47:47 +1300
> From: Mohammed Alshaboti <alshaboti.it at gmail.com>
> Subject: Re: [Bro] React based on Bro event (block/unblock connection)
> To: jsiwek at corelight.com
> Cc: Bro at bro.org
> Message-ID:
>         <CAKbXeiA0SzR0F72_dUO=
> 1umyru7gNnUR3Ne7uSuph6zEjnDfDg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Jone,
> I modified the code many times, and couldn't reproduce the error.
> Simply I modified this
> https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro to
> add event
> https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py
>
> I would like to add rules inside  'connection_established()' event rather
> than in netControl::init(), so python script can react based on established
> connection_established event.
> ""
> @load base/frameworks/netcontrol
> redef exit_only_after_terminate = T;
> event NetControl::init()
>         {
>         local netcontrol_broker =
> NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1,
> $bport=9977/tcp, $topic="bro/event/ne$
>         NetControl::activate(netcontrol_broker, 0);
>         }
> event NetControl::init_done() &priority=-5
>         {
>         print "Init done";
>         # drop rule goes through to simple-client.py
>         NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
>         }
> event connection_established(c: connection)
>     {
>    # can't receive this drop in simple-client.py, only it gets
> connectionestablished not the drop rule!!
>         NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
>      }
> ""
> however, I only on python client I get connection_established but not the
> drop rule of  NetControl::drop_address
>
> I run it like this:
> bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro
>
> python simple-client.py
>  ?netcontrol-3-ssh-guesser.bro      todo.txt
> DEBUG:netcontrol.api:Set up listener for 127.0.0.1:9977
> (bro/event/net?netcontrol-9-skeleton.bro         weird.log
> control-example)
> ?netcontrol-9-use-skeleton.bro     x509.log
> DEBUG:netcontrol.api:Waiting for broker message...
> ?netcontrol.log
> DEBUG:netcontrol.api:Handling broker status message...
> ?pi at raspberrypi:~/test_bro $
> INFO:netcontrol.api:Incoming connection established                   ?rm
> *.log
> <ResponseType.ConnectionEstablished: 1>
>
> Thank you,
> Mohammed
>
>
>
> The python program crash or give me communication established
>
> On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek <jsiwek at corelight.com> wrote:
>
> > On Wed, Nov 14, 2018 at 11:38 PM Mohammed Alshaboti
> > <alshaboti.it at gmail.com> wrote:
> >
> > > I would like to send Bro data (e.g. connection) to a backend python
> > program on some events.
> > > I tried to use the netcontrol broker to communicate with an external
> > > python client like (
> > https://github.com/bro/bro-netcontrol/tree/master/test
> > > ).
> > > But when I added event it crashed.
> >
> > Can you provide more info?  e.g. exact code that you're trying.  Was
> > it bro or the python program that crashed?  Any other relevant output
> > or error messages?
> >
> > - Jon
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181117/e0d16b35/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Sat, 17 Nov 2018 02:39:49 +0000
> From: "Azoff, Justin S" <jazoff at illinois.edu>
> Subject: Re: [Bro] React based on Bro event (block/unblock connection)
> To: Mohammed Alshaboti <alshaboti.it at gmail.com>,
>         "jsiwek at corelight.com"  <jsiwek at corelight.com>
> Cc: "Bro at bro.org" <Bro at bro.org>
> Message-ID:
>         <
> SN6PR11MB3216AA4D0CF0624EC064E937A5DE0 at SN6PR11MB3216.namprd11.prod.outlook.com
> >
>
> Content-Type: text/plain; charset="koi8-r"
>
> You may be running into a common race condition where the pcap file is
> read before the netcontrol broker connection is initialized.  There are 2
> ways of going about testing this differently.  The first way would be to
> run bro on live traffic by using -i eth0 instead of reading a pcap file.  I
> would also change
>
>
> NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
>
> to
>
> NetControl::drop_address(c$id$resp_h, 15sec, "Hi there");
>
> so that for each connection bro sees it will try to drop a different
> address and not just 1.1.2.2 each time.  I believe netcontrol tracks drops
> internally so by dropping the same 1.1.2.2 each time you would only see one
> broker message every 15 seconds instead of each time.
>
>
> If you need to test using a pcap file you should be able to use the method
> that is used in the test suite:
> https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
>
> Essentially you would add a
>
> event bro_init()
> {
> suspend_processing();
> }
>
> so that bro pauses processing of the pcap traffic as soon as it starts.
> Then, inside NetControl::init_done you would call continue_processing().
> This way the pcap is only analyzed after netcontrol is fully initialized.
>
>
>
> ________________________________
> From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Mohammed
> Alshaboti <alshaboti.it at gmail.com>
> Sent: Friday, November 16, 2018 7:47:47 PM
> To: jsiwek at corelight.com
> Cc: Bro at bro.org
> Subject: Re: [Bro] React based on Bro event (block/unblock connection)
>
> Hi Jone,
> I modified the code many times, and couldn't reproduce the error.
> Simply I modified this
> https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_blob_master_test_simple-2Dtest.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=RuJ6dVV1LvAnLJF7Gr8UIV295b5v5ZG5q0BlWhyyROM&e=>
> to add event
> https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_blob_master_test_simple-2Dclient.py&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=-G5dZDne3LT8FSfKkRWuWYrkhfhGhZFOkul383f6vzA&e=
> >
>
> I would like to add rules inside  'connection_established()' event rather
> than in netControl::init(), so python script can react based on established
> connection_established event.
> ""
> @load base/frameworks/netcontrol
> redef exit_only_after_terminate = T;
> event NetControl::init()
>         {
>         local netcontrol_broker =
> NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1,
> $bport=9977/tcp, $topic="bro/event/ne$
>         NetControl::activate(netcontrol_broker, 0);
>         }
> event NetControl::init_done() &priority=-5
>         {
>         print "Init done";
>         # drop rule goes through to simple-client.py
>         NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
>         }
> event connection_established(c: connection)
>     {
>    # can't receive this drop in simple-client.py, only it gets
> connectionestablished not the drop rule!!
>         NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
>      }
> ""
> however, I only on python client I get connection_established but not the
> drop rule of  NetControl::drop_address
>
> I run it like this:
> bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro
>
> python simple-client.py
>  ?netcontrol-3-ssh-guesser.bro      todo.txt
> DEBUG:netcontrol.api:Set up listener for 127.0.0.1:9977<
> https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A9977&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=kRhaqblI7XVAaKhbJO8R3yisk_ipC8x0w85INov1PiY&e=>
> (bro/event/net?netcontrol-9-skeleton.bro         weird.log
> control-example)
> ?netcontrol-9-use-skeleton.bro     x509.log
> DEBUG:netcontrol.api:Waiting for broker message...
> ?netcontrol.log
> DEBUG:netcontrol.api:Handling broker status message...
> ?pi at raspberrypi:~/test_bro $
> INFO:netcontrol.api:Incoming connection established                   ?rm
> *.log
> <ResponseType.ConnectionEstablished: 1>
>
> Thank you,
> Mohammed
>
>
>
> The python program crash or give me communication established
>
> On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek <jsiwek at corelight.com<mailto:
> jsiwek at corelight.com>> wrote:
> On Wed, Nov 14, 2018 at 11:38 PM Mohammed Alshaboti
> <alshaboti.it at gmail.com<mailto:alshaboti.it at gmail.com>> wrote:
>
> > I would like to send Bro data (e.g. connection) to a backend python
> program on some events.
> > I tried to use the netcontrol broker to communicate with an external
> > python client like (
> https://github.com/bro/bro-netcontrol/tree/master/test<
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_tree_master_test&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=9uwugavHogTI8cWBQ6wifv6D9d9yC0D5bN2vuZWYg8E&e=
> >
> > ).
> > But when I added event it crashed.
>
> Can you provide more info?  e.g. exact code that you're trying.  Was
> it bro or the python program that crashed?  Any other relevant output
> or error messages?
>
> - Jon
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181117/0e71412e/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 151, Issue 16
> ************************************
>

-- 
Best regards,
Mohammed Al-Shaboti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181119/208c7364/attachment-0001.html 