Debugging Policies and Print Statement

Good day,

I’m using bro version 2.0-372 with a new git checkout from master as of 2012-05-27 on Centos6. I’m having an issue where the print statement in the policy debugger displays nothing. Breakpoints and stack tracks seem to work correctly but not being able to inspect variables is making playing with policies frustrating.

Is this a known issue or is there some type of preprocessing make inspection work?

Thanks,
Chris

In bro_init() at /usr/local/bro/share/bro/base/utils/site.bro:155
155 local_dns_suffix_regex = set_to_regex(local_zones, “(^\.?|\.)(~~)$”);
(Bro [0]) break http_entity_data
Setting breakpoint on http_entity_data:
There are multiple definitions of that event handler.
Please choose one of the following options:
[1] /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro:79
[2] /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
[3] /usr/local/bro/share/bro/base/protocols/http/./file-extract.bro:32
[4] /usr/local/bro/share/bro/base/protocols/http/./file-ident.bro:85
[a] All of the above
[n] None of the above
Enter your choice: 2
Breakpoint 1 set at http_entity_data at /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
(Bro [1]) c
Continuing.
Breakpoint 1, http_entity_data(c = '[id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], orig=[size=121, state=4, num_pkts=4, num_bytes_ip=216, flow_label=0], resp=[size=3095, state=4, num_pkts=4, num_bytes_ip=1963, flow_label=0], start_time=1338087055.218736, duration=0.27459, service={

}, addl=, hot=0, history=ShACad, uid=cTLeNAfgQo2, dpd=, conn=[ts=1338087055.218736, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=, local_orig=T, missed_bytes=121, history=, orig_pkts=, orig_ip_bytes=, resp_pkts=, resp_ip_bytes=], extract_orig=F, extract_resp=F, dns=, dns_state=, ftp=, http=[ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0, method=, host=, uri=, referrer=, user_agent=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={

}, username=, password=, capture_password=F, proxied=, mime_type=application/x-dosexec, first_chunk=T, md5=, calc_md5=F, calculating_md5=F, extraction_file=, extract_file=F], http_state=[pending={
[0] = [ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0, method=, host=, uri=, referrer=, user_agent=, request_body_len=0, response_body_len=0, status_code=, status_msg=, info_code=, info_msg=, filename=, tags={

}, username=, password=, capture_password=F, proxied=, mime_type=, first_chunk=T, md5=, calc_md5=F, calculating_md5=F, extraction_file=, extract_file=F],
[1] = [ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], trans_depth=0, method=, host=, uri=, referrer=, user_agent=, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=, info_msg=, filename=, tags={

}, username=, password=, capture_password=F, proxied=, mime_type=application/x-dosexec, first_chunk=T, md5=, calc_md5=F, calculating_md5=F, extraction_file=, extract_file=F]
}, current_request=0, current_response=1], irc=, smtp=, smtp_state=, ssh=, ssl=, syslog=, known_services_done=F]’, is_orig = ‘F’, length = ‘1500’, data = ‘MZ\x90\0^C\0\0\0^D\0\0\0\xff\xff\0\0\xb8\0\0\0\0\0\0\0@\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x80\0\0\0^N\x1f\xba^N\0\xb4^I\xcd!\xb8^AL\xcd!This program cannot be run in DOS mode.^M^M^J$\0\0\0\0\0\0\0PE\0\0L^A^C\0\xdf\x9cO\0\xe2!\0\0\0\0\0\xe0\0/^C^K^A^B^V\0\xd0^I\0\0\0^A\0\0\xc0^Y\0^P\x85#\0\0\xd0^Y\0\0\xa0#\0\0\0@\0\0^P\0\0\0^B\0\0^D\0\0\0^A\0\0\0^D\0\0\0\0\0\0\0\0\xa0$\0\0^P\0\0\0\0\0\0^B\0\0\x80\0\0 \0\0^P\0\0\0\0^P\0\0^P\0\0\0\0\0\0^P\0\0\0\0\0\0\0\0\0\0\0^T\x9a$\0l^B\0\0\0\xa0#\0^T\xfa\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xf0\x90#\0^X\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0UPX0\0\0\0\0\0\xc0^Y\0\0^P\0\0\0\0\0\0\0^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x80\0\0\xe0UPX1\0\0\0\0\0\xd0^I\0\0\xd0^Y\0\0\xc2^I\0\0^B\0\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\xe0.rsrc\0\0\0\0\0^A\0\0\xa0#\0\0\xfe\0\0\0\xc4^I\0\0\0\0\0\0\0\0\0\0\0\0\0@\0\0\xc03.07\0UPX!^M^I^N^G\x8c*]\xc2\xf4\x96\xc3\xc8\xd3e#\0\xf2\xb4^I\0\x1d\xe2!\0&\x1e\0\xb0^Z^C\0*\xa2X\xa54\x1ec\x1d\xbe^Wo\xc6UdK\xb5\xd9/kuB"\x9e^Q\xa5e\xe73\x1f\xc6Z\x91^Q\x8e\xd8\x97^BF\xba^P\xbdp\x92\xb4"7/\x92,\xf3\x9eg\x90\xfe^T\xfa|\xb7\xba\x8d0^T,\xf6K\x9a\xdf:\x9e\xceJ\xe8\x98u\xa4(\xe2(\xd0H)^C\x90\x95>q\xca \xfa^D\x963\xff2\x86QD’\xe0\xf5\x9a,\x9d^H4V\xda\xd5\xd0\xb5[^E|\x8e\xfd\x83\xd8^U\xa9\xd7^F^S\xa7\xe9\x91\xc7 ~\xd3\xc7^B\x90\x1en\xbb\xe6\xa2\xb5\x8e\xe7\xf7\xbe\xc5\x86g\xe2^W\xff\xd2RG\xd6\xb2P\xd9\x8a\x8f\xf5^D]B|i\x9c\x97W\xf8^NL\x8a\x9dsk\xdac\xb5^V\xe3\xa0\xf14\x94^K\xb8\xff^ER\xfa\xe4\xf8\x955\xdd\xa1\xa8\0^Y^Qr/^E\x9a\xb4\xee}\xde\xb7@\xf2\x92^N/\xe4L\xc5\xd3\xebT\xcb\xa1&\x90^A\xbcC\xd9\xdaW\x9f^A^Vbt\x9f\xb1\x81\x1dX^Mx^\xeb6^H{v\xeeA\xeeAA\x9eD\x81E\xe1\xdeA\xa8\x1f^U\xe6\xd2\xbcr\xf1cIc\xac^TB\x8d\xd8\x8a\xf5\xd1L\xac\xd9\xad\xbb%\xc8=^J\x87\x1b\x89\xa46\x8d;d\xfd\xd8$\xf7=Y^I\xdev\x85]h^BNT\x9c^UL8\xb9%M^Y\x83\xc0C^G\xa1\xd9L^S\x854\xdfi^A\xf8;\xe9\x90^Hj@^\x1fO^S:\xfc%\xf9*\x98\x1e\xf2b\xcc\xb3^Y^Ga\xa0\xf5tw;\xddg^?^CG\x8f\x88\xef^B\xbb\xcd=^Thn\x1b\xa3^O\xf1^E\xb5\xa1\0@\x85\xe0\x8b\xf5^GW\xc0\x94\x8a\xee\xa7^T\x99\xd7qq’6\xa9X\xe4#;\xefg4D\x82^G\l\xbbH\x82\xbc\xc2G\xf7\xca\x9f\xa5K@\x1e\xe7lB^O\xe3\xbd+\xf4\xa1\x89\xd1@\xc4\xc6\xd6\x1b^U^Fpf\x89h\xc3G\xf3\x88o^Fg\xe7#q\x9d\x1d\xd9\xa1,\x81\xc6\x9bF^R^P^\xd5H)()^T8\xebT\x86\xc0\xd8\x1c_\x95\xe6\xab\x82l=\x82v\x90\xb2g\xf6O\xecE(\xa0\xceR\6)^OX[\xea\xcf\x89^Qd\xbeg^Q\xc7\xc0\xed\x90FG\x80:/!b\x1d^S\xa8\x89\x95\x8e>\xea\xe1s|^?,\xf2\xe6d\xb8\xee)\xd9Ti\xefO\xa2\xdb\xab\xeb\xf1\xe6\xc70W\x89\xdam\xbd\x8ewiS\xc5\x95^G^C\xadM\xbf^K\xdb\xed\xa0\x97K\xe9\x1c\xf2^?\x92k\x92Vk\x89>\xb9l\xff\x80\x97^UXN\xbf\x90[\xe6AH)X\xe99\xce\xb5\xf0>^E’\xb1C^J\xe0\x82\xc1\xffj3u\xe8\xbb\xaeyE#\xb8\xbe\xa7\xa9\xeb\x93{\xa3\x90^Y\xe1,[.Y\xf3^Z\xa8\xa5\x99\x96\xc5sI=\xa5\xf0~\xc1^M\xe2\xc7RK^XF\x80\x1bhX\xdc\xc4P\xcb^P^W^Z\xe2\x8a\xdb’@a;\xa9\xa0^G"+d\x9f\xa0\xd1j\x993\x83^A\xaa\x80\xfc\xc3\x8f\xf3\xf2\xd1\x96kG\xa8\xf7\xb1\xf4\xe6\xd4\x9d\xc4Y\xbc\xd9\xc1\xaf^D^N\xce^Q\xf6\xd9H^E^?\xe6\xfc\xe6\x8210\x1f\x86yrO\x96s\xffU^R3^V\xa6^UD\xb3^Nt\xed"\x92\xa3``\xd4^Fn\xdb^Lf\xd5\xc2^K1^E\xdf\xa6\xe7\xbc\xb8’=\xa9\xeft\xeb;O1R\x1er\xccC&\x99\xba\x85t\xfa\xc8\xe7^D\xdc5\x1bN@M\x8cFrB2\xe3\x83^So^U\xcf\x9cu\xde9\xe7xV"$Q^K\xef^U^M\xbd\x99\xd5I^EgS\xfe\xaf\xa3^I\x80P\xad!\x88\x97;\x85\xf1\x95\xed^Y^Im\xd9\x93\x9e4O\xe4Y^S\x88\x88^F\xa8’^U_}\xa1\xcbh.;\xe6\xc7\xac^KSGvF<\xe4i\xe7GN\0rV\xbd\xcf}`\x84\xa5^G\xe6\xa1U\xc6\x91,^Ct\xe0A\x99\x9d^O\xffj\xe8\xf4n\x86^^J\xf1\x91.\xaa\xc0^Y?\x8bV^N\xc1\x8aJPhh\xfa\xbc\xf3\x9e\xd1yX\0\x1f$^Ml(\xe6\xbd^Ji\xd9’) at /usr/local/bro/share/bro/base/protocols/http/./file-hash.bro:37
In http_entity_data(c = '[id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], orig=[size=121, state=4, num_pkts=4, num_bytes_ip=216, flow_label=0], resp=[size=3095, state=4, num_pkts=4, num_bytes_ip=1963, flow_label=0], start_time=1338087055.218736, duration=0.27459, service={

}, addl=, hot=0, history=ShACad, uid=cTLeNAfgQo2, dpd=, conn=[ts=1338087055.218736, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_h=209.132.180.131, resp_p=80/tcp], proto=tcp, service=, duration=, orig_bytes=, resp_bytes=, conn_state=, local_orig=T, missed_bytes=121, history=, orig_pkts=, orig_ip_bytes=, resp_pkts=, resp_ip_bytes=], extract_orig=F, extract_resp=F, dns=, dns_state=, ftp=, http=[ts=1338087055.413572, uid=cTLeNAfgQo2, id=[orig_h=192.168.1.13, orig_p=50402/tcp, resp_
37 if ( is_orig || ! c?$http ) return;
(Bro [2]) print c
(Bro [3]) print is_orig

The debugger hasn't seen much attention for a while unfortunately, and
some of its functionality isn't working at the moment. We have a
ticket tracking that, http://tracker.bro-ids.org/bro/ticket/678, but
it doesn't look like we'll get to it in time for the next release.

Fwiw, I often just insert print statements into the code while
developing/debugging.

Robin

I'm using bro version 2.0-372 with a new git checkout from master as of 2012-05-27 on Centos6. I'm having an issue where the print statement in the policy debugger displays nothing.

It seems that parameters of functions/events take on the module scoping in which they're declared. So in your case, breaking in the "http_entity_data" in file-hash.bro is inside the "HTTP" module (there's the "module HTTP;" statement near the top of that script). So qualifying local variables or event parameters with the module name in the script debugger should work:

print HTTP::is_orig
print HTTP::c
print HTTP::c$id

Breakpoints and stack tracks seem to work correctly

I also noticed that the context string for stack traces is using a static buffer size, so it's getting truncated sometimes and the filename:line won't be there. I can fix that and also give some better error messages for when the 'print' command fails to parse the given args and put that on the fastpath branch, but I'm not sure how bad it will be to try to change local identifiers to not inherit module scoping, or even if that would be "right".

    Jon

I've merged this into git master now.

Robin

Thanks all; things seem more predictable now. Especially helped figuring out c$$http$mime_type is sniffed and not read from the HTTP header.