Getting 'standard' Bro events into Python

Hi All,

I’m fairly new to Bro and I have a question very similar to this one ‘’.

Basically I want the easiest/best path to get standard Bro events (conn, http, dns, ssl, weird…etc) into Python.

  1. Is broctl / python-broccoli the best path?
  • Note: in my testing I had to use broctl> start . in order for my python Connection() to work
  • If this isn’t necessary and I can do the same with just running Bro standalone pls let me know
  1. If broctl/python-broccoli IS the best path then how do I ‘subscribe’ to the standard events?
  • Is there a list of the standard events?
  • If so do I just @event with a method that has the same name as the event?

Sorry if these are naive questions, but so far my googling/trying/testing has been a bit hit-miss :slight_smile:

-Brian Wylie

Okay, after a bit more hunting I see the new Broker communications docs.

I see that you can wrap the broker API with SWIG, so this is all good new.

Anyway happen to have/make/point me to a small example python script that maybe subscribes to all connection events (events that go into conn.long)?

Thanks a bunch,
-Brian Wyli

Hi Brian,

you are right that Broker is the new communication library; please note
that the API is not quite finished yet and that you will have to adjust
your code when the next Bro version is release.

Note that, for both broker and broccoli, you will not just be able to
receive connection (or other) events; instead you will have to handle them
in a bro event where you can re-throw them (...under a different name, to
not cause issues with other scripts).

If you subscribe to that new event using broker, you should be able to
receive data.

The best example for using broker to communicate with Bro, that currently
exists, are probably the netcontrol adapters; an easy example is available

I hope this helps,