Accessing bro variables in c

Greetings

I've run up against another glitch in my efforts to get data out of bro. I am receiving the 'connection_finished' event from the conn.bro policy which sends a bro type 'connection' record. I am processing the event with the call back method:

void bro_conn_callback(BroConn* bc, BroRecord* conn)
{
    void* result;
    char* service;
    bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, result);
    service = strdup((char*)result);
    printf("%s event received\n", service);
    free(service);
}

When I ssh into the host machine and exit it triggers the event as it should, but the callback prints out an empty string.

My experiments with the bro type 'time' variable start_time are equally unsuccessful. Is the type equivalent to the c double, or is it a timestamp structure? (I didn't find it in the bro manual.)

Am I going about this all wrong?

Thanks

Mike

Hi again,

Greetings

I've run up against another glitch in my efforts to get data out of bro. I
am receiving the 'connection_finished' event from the conn.bro policy which
sends a bro type 'connection' record. I am processing the event with the
call back method:

void bro_conn_callback(BroConn* bc, BroRecord* conn)
{
    void* result;
    char* service;
    bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, result);
    service = strdup((char*)result);
    printf("%s event received\n", service);
    free(service);
}

When I ssh into the host machine and exit it triggers the event as it
should, but the callback prints out an empty string.

Mhmm does it work when you do this instead:

  BroString *result;
  bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, &result);

http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL

Also note that strings are actually instances of BroString, so in order
to get to the resulting string you want to use

  printf("%s event received\n", result->str_val);

I really need to add bro_string_get_data() and bro_string_get_length().

My experiments with the bro type 'time' variable start_time are equally
unsuccessful. Is the type equivalent to the c double, or is it a timestamp
structure? (I didn't find it in the bro manual.)

Try similarly to the above code snippet -- pass the address of the
pointer so Broccoli can adjust it to point to the result.

Am I going about this all wrong?

I'd say you're very close! The record handling stuff is some of the
newest code in Broccoli and could probably be better documented ... Well
done!

Cheers,
Christian.

Christian

Mhmm does it work when you do this instead:

BroString *result;
bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, &result);

Well, maybe. It's printing '??'. '?' is a valid string for this field if I remember the bro manual correctly. I don't see anything in the logs that has protocol information so maybe '?' is what bro thinks. I have seen 'ssh' in bro output when reading tcpdump files, but the '?' could be an artifact here.

Prior to this my entire bro experience was reading tcpdump files and it seems like the interesting info came out on stdout. Maybe I should have redirected stdout when I started bro from the command line? I opted not to send emails when I configured bro, and there's nothing in the reports subdirectory. If I can figure out where the reports are going I'll check to see what bro is writing to the logs. Maybe '?' is the right answer (at least as far as the interface is concerned).

broccoli

Also note that strings are actually instances of BroString, so in order
to get to the resulting string you want to use

printf("%s event received\n", result->str_val);

I don't see this field in the on-line manual. Is BroString defined somewhere else?

I really need to add bro_string_get_data() and bro_string_get_length().

My experiments with the bro type 'time' variable start_time are equally
unsuccessful. Is the type equivalent to the c double, or is it a timestamp
structure? (I didn't find it in the bro manual.)

Try similarly to the above code snippet -- pass the address of the
pointer so Broccoli can adjust it to point to the result.

Am I going about this all wrong?

I'd say you're very close! The record handling stuff is some of the
newest code in Broccoli and could probably be better documented ... Well
done!

Thanks. I'll be glad to get this working.

Cheers

Mike

Well, maybe. It's printing '??'. '?' is a valid string for this field if I
remember the bro manual correctly. I don't see anything in the logs that has
protocol information so maybe '?' is what bro thinks. I have seen 'ssh' in
bro output when reading tcpdump files, but the '?' could be an artifact
here.

Mhmm I'm not sure -- I'll have to test extracting fields from connection
records myself to be sure. It might take me a bit but I'll get back to
you on this.

Prior to this my entire bro experience was reading tcpdump files and it
seems like the interesting info came out on stdout. Maybe I should have
redirected stdout when I started bro from the command line? I opted not to
send emails when I configured bro, and there's nothing in the reports
subdirectory. If I can figure out where the reports are going I'll check to
see what bro is writing to the logs. Maybe '?' is the right answer (at least
as far as the interface is concerned).

I'd look at the connection summaries created by conn.bro directly. I'm
somewhat sceptical whether ?? is really the output you should get.

> Also note that strings are actually instances of BroString, so in order
> to get to the resulting string you want to use
>
> printf("%s event received\n", result->str_val);
>

I don't see this field in the on-line manual. Is BroString defined somewhere
else?

Try here:

  http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/c86.html#AEN122

I just added a paragraph on how to extract fields from records to the
documentation and put it in CVS. It'll be in the next release and is
essentially what I said in my previous posting.

Thanks. I'll be glad to get this working.

If everything else works but you just don't seem to get the right values
out of the record fields, you could try creating wrapper events that get
triggered from the event handlers you're actually interested in, but
only have the fields you care about in atomic (non-record) form. That's
exactly the difference between broping.bro and broping-record.bro, btw.

Cheers,
Christian.