icmp events (custom and original) not firing?

Hello.

I am writing a C++ program to interface with Bro, using Broccoli.

According to this [Bro] Mailing List message (http://mailman.icsi.berkeley.edu/pipermail/bro/2014-December/007844.html), I need to create my own events that only use certain fields from the conn_id bro record.

I followed the example in the post, using the ‘dns_message’ event as a test.

1. In bro/share/bro/base/bif/plugins/Bro_DNS.events.bif.bro, I added this line after line 26:

global dns_message_test: event(cid: conn_id, is_orig: bool , msg: dns_msg , len: count );

2. In bro/share/bro/base/protocols/dns/main.bro, in the ‘event dns_message’ event (ln 286), I added this at the bottom of the event:

event dns_message_test(c$id, is_orig, msg, len);

Then, in my main function, I add it to the registry with something like:

bro_event_registry_add_compact(f_broPtr, “dns_message_test”, (BroCompactEventFunc) event_cb, NULL);

And my ‘event_cb’ callback function is called and everything seems good.

However, I then wanted to try with icmp_time_exceeded and icmp_packet_too_big (which is part of what I’m after):

In bro/share/bro/base/bif/plugins/Bro_ICMP.events.bif.bro, I add a ‘_test’ event to both:

global icmp_packet_too_big_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );

global icmp_time_exceeded_test: event(cid: conn_id , icmp: icmp_conn , code: count , context: icmp_context );

However:

1. There is only one ‘event icmp*’ function block, and that’s in /bro/share/bro/policy/misc/detect-traceroute/main.bro for ‘icmp_time_exceeded’. This has an associated ‘event icmp_time_exceeded’ (line 98). I add my ‘icmp_time_exceeded_test(c$id, icmp, code, context)’ line in that function and register it with another bro_event_registry_add_compact line in my C code, but the event (original and my _test version) never fires. I’m not sure I’m using the correct ‘event icmp’ since the detect-traceroute comments say it’s for a Time Exceeded threshold, and I’m more interested in capturing ANY Time exceeded event.

2. Given 1), I cannot find a ‘main.bro’ file with ‘event icmp_packet_too_big’, and so that event (original and _test version) never fires, either.

I am very new to DPI, so I may be missing something obvious. Any help greatly appreciated.

Thanks!

-Scott

I should also mention that we are firing pcaps that contain ICMP Oversize and Time Exceeded data, but
it could be that they need to be configured in Bro.

-Scott

Ps: Pls excuse the Confidentiality Notice. It’s auto-generated from my company.

Are you sure that policy/misc/detect-traceroute/main.bro is loaded ? E.g. if you’re running from command line it won’t be loaded by default, you’d need something like:

bro -r icmp.pcap misc/detect-traceroute/main.bro

This is sort of a detour from the specific problem, but rather than modifying existing scripts, I’d suggest defining your own event handlers for the ones you need. I’d try to get something simple working from the command-line first. E.g. create a file called “test.bro” containing:

event icmp_time_exceeded(c: connection, icmp: icmp_conn, code: count, context: icmp_context)
  {
  print "icmp_time_exceeded", c$id, icmp, code, context;
  }

Then run:

bro -r icmp.pcap ./test.bro

If you see output, then it works and you can modify the handler however you need. If not, then there’s something specific about the pcap you’re using that I’d probably need to see in order to tell what’s wrong, but sometimes weird.log might have hints as to what’s wrong.

- Jon