Broccoli Code Not Working : Not receiving any events

Zeek
1

Broccoli code :

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <errno.h>
#include <string.h>
#include <inttypes.h>
#include <broccoli.h>
#include <unistd.h>
#include <stdbool.h>
#include <string.h>

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

char *host_default = “127.0.0.1”;
char *port_default = “64646”;
char *host_str;
char *port_str;

// The variables that monitor the rate
float tcp_packet_out = 0;
float tcp_packet_in = 0;
float udp_packet_in = 0;
float udp_packet_out = 0;

uint64 seq;

static void
usage(void)
{
printf(“cero_traffic\n”);
exit(0);
}

// For every TCP_PACKET event
static void
bro_tcp_packet(BroConn *bc, void *data, BroRecord *conn, int *is_orig, BroString *flags,int *seq, int *ack, int *len, BroString *payload)
{

printf(“1\n\n”);
if(is_orig)
{
tcp_packet_in++;
}
else
{
tcp_packet_out++;
}

conn = NULL;
data = NULL;
}

// For every UDP_REQUEST event
static void
bro_udp_request(BroConn *conn, void *data)
{
printf(“2\n\n”);
udp_packet_in++;

conn = NULL;
data = NULL;
}

// For every UDP_REPLY event
static void
bro_udp_reply(BroConn *conn, void *data)
{
udp_packet_out++;

conn = NULL;
data = NULL;
}

// Main driver function
// Mainly deals with creating and establishing the connection with Bro
int
main(int argc, char **argv)
{

printf(“Starting program”);
BroConn *bc;
char hostname[512];
int fd = -1;

bro_init(NULL);

host_str = host_default;
port_str = port_default;
printf(“Marker1-success”);
snprintf(hostname, 512, “%s:%s”, host_str, port_str);

if (! (bc = bro_conn_new_str(hostname, BRO_CFLAG_RECONNECT)))
{
printf(“Could not get Bro connection handle.\n”);
exit(-1);
}

bro_event_registry_add(bc, “tcp_packet”, (BroEventFunc) bro_tcp_packet, NULL);
/* bro_event_registry_add(bc, “udp_request”, (BroEventFunc) bro_udp_request, NULL);
bro_event_registry_add(bc, “udp_reply”, (BroEventFunc) bro_udp_reply, NULL);
*/

printf(“Marker2-success”);
if (! bro_conn_connect(bc))
{
printf(“Could not connect to Bro at %s:%s.\n”, host_str, port_str);
exit(-1);
}

printf(“Marker3-success”);
for(;:wink:
{
sleep(1);
printf(“in\n”);
bro_event_registry_request(bc);
bro_conn_process_input(bc);

// printf(“tcp_packet_out : %f tcp_packet_in : %f udp_packet_in : %f udp_packet_out : %f \n”,tcp_packet_out,tcp_packet_in,udp_packet_in,udp_packet_out);
}

/* Disconnect from Bro and release state. */
bro_conn_delete(bc);

return 0;
}

Bro Code :

@load policy/frameworks/communication/listen

Let’s make sure we use the same port no matter whether we use encryption or not:

redef Communication::listen_port = 64646/tcp;

Redef this to T if you want to use SSL.

redef Communication::listen_ssl = F;

Set the SSL certificates being used to something real if you are using encryption.

#redef ssl_ca_certificate = “/ca_cert.pem”;
#redef ssl_private_key = “/bro.pem”;

redef Communication::nodes += {
[“cero_traffic”] = [$host = 127.0.0.1, $connect=F, $ssl=F]
};

global ct_log = open_log_file(“cero_traffic”);

event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string)
{
if(is_orig)
print fmt(“TCP PACKET | CONN: %s:%s > %s:%s |FLAG: %s |LEN: %s”,c$id$orig_h,c$id$orig_p,c$id$resp_h,c$id$resp_p,flags,len);
else
print fmt(“TCP PACKET | CONN: %s:%s > %s:%s |FLAG: %s |LEN: %s”,c$id$resp_h,c$id$resp_p,c$id$orig_h,c$id$orig_p,flags,len);

}

#event udp_request(u: connection)
#{

print fmt(“UDP PACKET | CONN: %s:%s > %s:%s”,u$id$orig_h,u$id$orig_p,u$id$resp_h,u$id$resp_p);

#}

#event udp_reply(u: connection)
#{

print fmt(“UDP PACKET | CONN: %s:%s > %s:%s”,u$id$resp_h,u$id$resp_p,u$id$orig_h,u$id$orig_p);

#}

2

Hello Sherine,

I am answering to basically most of your mails and a bit of your activity
on IRC. Note that on IRC, you will nearly exclusively find people online
weekdays during US daytime hours. During other times, you are unlikely to
get an answer there - and it is a good idea to just keep your client
running since you will probably get an answer, even if it might be hours
later.

That being said - as I mentioned on IRC before, you should look at the
broping examples of Broccoli on how to sent an event from Bro to broccoli.
You will have to re-throw the event in Bro (so e.g. catch the tcp_packet
event and then send it off again under a different name, to which broccoli
listens as given in the event argument for the connection).

However, I think generally you are trying to do the wrong thing here for a
number of reasons.

First - broccoli is actually deprecated and will no longer be supported in
future versions of Bro (it will be supported in 2.5, it might be in 2.6,
it will probably not be in 2.7). Newer code might start looking into the
new communication library called Broker.

Second - sending on events like tcp_packet, udp_packet, etc via the
communication libraries seems like a bad idea. On even a quite low amount
of network traffic, you will be generating enormous numbers of events that
will have to be sent out via broccoli/broker. This will not scale to any
significant link speed. In cluster mode, you get problems with event
distribution on top of that (either you have to send events to the manager
before or each cluster worker has to have its own broccoli/broker
connection).

For your inter-arrival-time analysis, the best way probably would be to
implement that directly in C++-code as a Bro module. However, implementing
that will require quite a bit of understanding of the internal workings of
Bro, which are not really documented too much; so you will have to do
quite a bit of reading code and doing research yourself. So - that will
probably take at least weeks of your time.

An example project that takes this approach is
https://github.com/bro/bro-plugins/tree/master/tcprs.

On a sidenote - it would be nice if you could put all your emails with
questions on the same topic in one email thread - and also, if you put a
bit more work into the way that you phrase your questions to make them
easier to understand. Posting a stream of different mail messages is
actually less likely to get a response (at least from me) - please
remember that this is community support.

Johanna