Getting SSL events into Python

Hi,

I'm currently researching SSL/TLS handshakes and want to process several
events Bro provides with the SSL plugin. I've installed Bro along with
broccoli and broccoli-python and the "broping" example (from the test
directory) is working just fine. For each "ping" event I sent to Bro, a
"pong" is received and processed in my Python script.

However, in case of the SSL my callbacks are never executed. The most
simplified version looks something like this:

#! /usr/bin/env python

from broccoli import *

@event
def ssl_established(c):
    print('established')

bc = Connection("127.0.0.1:47760")

while True:
    bc.processInput()

To my understanding I don't even have to load the SSL plugin, since it
resides within "base", but nevertheless my local.bro contains the following:

@load broping
@load base/protocols/ssl

When starting Bro and executing the Python script mentioned above,
nothing happens, even if SSL traffic is going through the interface
(and/or coming from a recorded pcap). I've also tried to register
callbacks for various other SSL related events (ssl_client_hello,
ssl_server_hello, etc.), but in no case were my callbacks invoked.

The only difference to the "broping.py" from the examples, is that I'm
not sending any events, but just want to receive them (hence I'm calling
processInput() regularly).

What am I missing here? Do I somehow need to enable the SSL
functionality within Bro? How can I further debug the problem?

Any help is very much appreciated, since I've spent a fair amount of
time on this already, with no real progress.

Thank you very much!

Best regards,
Karol Babioch

Hello Karol,

by default, events that are handled locally inside of Bro are not sent
anywhere else; for core-raised events, you will have to re-raise them
(with a different name to not cause any issues), and set your
communication preferences so that the raised event will be forwarded to
broccoli (like done in broping.bro).

I hope this helps,
Johanna

Hello Johanna,