Basic Question

I’m pretty new to Bro and am just trying to understand how to go about getting events programmatically from the sensor (10.0.0.1). Here’s my test scenario.

I see entries constantly being added to the ssl.log file. Since this is a pretty busy file, I decide to try to register an event handler (using ipython) to capture those events on a separate system (using the python interface):

from broccoli import *
bc = Connection(“10.0.0.1:47760”)

@event
def ssl_conn_attempt(connection, version, ciphers):
print connection, version, ciphers

while True:
bc.processInput()

But I never see my callback triggered even though I see constant activity in the ssl.log file. What am I doing wrong?

Thanks in advance!
Justin

Where did you get this event from? That is an old event that was removed prior to the 2.0 release. You can refer to the following link for all of our current (2.1 release) analyzer generated events:
  http://bro-ids.org/documentation/scripts/base/event.bif.html

Are you running Bro with BroControl in standalone mode too? If you run a cluster and you only connect to your manager you won't see these events either because the protocol events aren't being generated on the manager. It looks like you're doing the right things in your python script though.

  .Seth

From here: http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events

I guess the “old” in the URL should have tipped me off. I had some trouble finding descriptions of built-in events, so I just grabbed the first thing that looked reasonable. I’ll look over the document you linked below. I did try using the “new_connection” event with similar results (i.e., none), so your comment on the cluster configuration may also be a sticking point for me.

I’ll look over my configuration with that note about the manager not generating the protocol events in mind; I’m not sure on the specifics (if I recall correctly, I think I configured it as a cluster for future expansion but am only running on one machine right now).

It actually is configured as standalone - my mistake.

I changed my python script to:

from broccoli import *
bc = Connection(“10.0.0.1:47760”)

@event
def new_connection(event):

Argh - no tabs in Gmail.

@event
def new_connection(connection):
print connection

while True:
bc.processInput()

…and still don’t see any activity despite seeing lots of messages in conn.log.

Any troubleshooting tips? I also know that the connection to the sensor is being established - I’m entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor).

Here is a gist with my current efforts:

https://gist.github.com/4227811

I’ve tried all kinds of things - including adding my client node to the “Communication::nodes” table on the bro sensor. That allowed me to see “peerstatus” information using broctl when I connected using the Python script, but my callback still never fired despite all kinds of connections being logged in conn.log.

I’m not sure where to look next - I’ve read every example I can find. Any tips would be helpful.

Thanks!

Any troubleshooting tips? I also know that the connection to the sensor is being established - I'm entering the script interactively via ipython and no errors are generated (and I see the connected socket via netstat on the sensor).

You could use tcpdump to see if any packets are actually sent after the connection is made. Sometimes communication.log can have relevant information. And there's some pybroccoli documentation at [1] if you haven't read it yet. You might also try to get an even more minimal test to work first, like instead of using broctl, run bro from the command line as `bro -b -i <iface> ./test.bro`.

test.bro:

   @load frameworks/communication/listen
    redef Communication::listen_port = 47760/tcp;

    global my_event: event(cid: conn_id);

    event new_connection(c: connection)
        {
        print "new_connection", c$id;
        event my_event(c$id);
        }

test.py:

    #! /usr/bin/env python

    from broccoli import *

    conn_id = record_type("orig_h", "orig_p", "resp_h", "resp_p")

    @event(conn_id)
    def my_event(cid):
        print "my_event", cid

    bc = Connection("127.0.0.1:47760")

    while True:
        bc.processInput()

And if that works, then you can try moving the event declaration/handler in to share/bro/site/local.bro to see test.py works from your standalone broctl setup.

A couple other things about the example above:

1) For events that have record type parameters, they have to be defined in the python script.

2) The "connection" type parameter for the "new_connection" event is pretty complex, so I've declared "my_event" to be more deliberate in picking out only a few fields.

    Jon

[1] http://www.bro-ids.org/documentation/components/broccoli-python/README.html

You’re a miracle worker!

Instead of running it locally, I first tried just modifying site/local.bro by adding your snippet:

global my_event: event(cid: conn_id);

event new_connection(c: connection) {
print “new_connection”, c$id;
event my_event(c$id);
}

…and changing my Python script as you described below (pointing to my sensor instead of localhost). Sure enough, it’s printing all kinds of stuff now.

I’ll work with this some more to be sure I fully understand it. My working assumption is that the lack of the proper record_type in Python was my main hang-up.

Thanks!