Hi,
I have loads of questions about communicating between bro instances. I have been “playing” with some of the examples from the the Broccoli 1.93 download. I’m wondering if it’s possible to implement the broping.c example entirely within broscript.
I have successfully built and tested the broping example, which comprises of C code connecting to a broscript listening on TCP port 47758. I have been looking for examples of broscripts connecting to broscripts (or listening broccoli applications)
I have tried adding to the connection::nodes table
redef Communication::nodes += {
[“broping”] = [$host = 127.0.0.1, $events = /pong|ping/, $connect=T, $ssl=F]
};
as well as manually creating a connection in bro_init(). I haven’t been able to send the “ping” events from the bro script to broping.bro.
I guess i’m asking is whether it is possible (or even whether it is a good idea) to implement broping.c in broscript.
Thanks in advance for any help
James
You can definitely do that. It would just be sending events between multiple Bro processes which is very regularly done in some of the frameworks we ship.
.Seth
Thanks Seth, i knew it had to be possible.
I’m struggling to get it working. Do you have any examples in the frameworks where this is done, or can you pick out anything missing from what i’ve already tried.
Thanks in advance for any help you can give with this.
James
You need to subscribe to the ping event, not the pong event.
.Seth
Hi Seth,
Sorry to keep pestering you, i’m still having trouble getting this to work.
I have wireshark’d it and can see the connection being made, but when comparing it with a wireshark of the compiled c code, i’m missing the initial ping event going across the connection.
The C code:
- uses bro_conn_new_str to get a new connection handle
- uses bro_event_registry_add to add the “pong” event to this connection
- uses bro_conn_connect to establish the connection
Would i be right in thinking that all you need to do in bro script is add the following entry to the Communication::nodes table?
redef Communication::nodes += {
[“broping2”] = [$host = 127.0.0.1, $p = 47758/tcp, $events = /pong/, $connect=T, $ssl=F]
};
I have tried both ping and pong (and both) in this entry without any luck - the C code sends ping events down to the bro instance and is listening for pong events coming back.
The c code sends the ping event using “bro_event_send( connection, event);” on line 442 of broping.c.
Again, sorry for my lack of understanding here - hope you can help 
James
redef Communication::nodes += {
["broping2"] = [$host = 127.0.0.1, $p = 47758/tcp, $events = /pong/, $connect=T, $ssl=F]
It sounds like you want your Bro node to subscribe to ping events since that's what your broccoli application is sending. If you have it listening for pong, the C application might send the ping event, but Bro won't listen to it since it's only listening for pong events.
You could even make Bro listen for all events like this (not recommended for anything other than testing)…
["broping2"] = [$host = 127.0.0.1, $p = 47758/tcp, $events = /.*/, $connect=T, $ssl=F]
.Seth
Hi Seth,
I think I have got to the bottom of why I was getting the events going down the connection. I think there is one (maybe two) reasons:
-
the event_peer class (not sure about this?)
in the broping.bro script I dumped the event_peer record in the remote_event_registered handler.
from the C program it shows as “class=”
from the bro script it comes through as “class=”
I’m not sure whether this has any bearing on it, or whether “” and “” are treated as equals. Using bro_conn_set_class() from
-
firing events in “bro_init”
I rewrote bro_init() like this
event bro_init()
{
event ping(current_time(),1);
schedule 1 secs
{
ping(current_time(),1)
};
}
i’m only seeing the event get fired once (the scheduled event). Could it be that the event firing plumbing isn’t fully initialised before bro_init is called?
Anyway, it seems to be working now. Thanks for your help
James