Hello all,
I am recently using pybroker to feed some event data to my python program. I use the auto_event to do that and read traffic from a pcap file. However, it takes some time for the broker to establish the connection with my python program but the processing of the traffic starts immediately. As a result, the first part of the traffic is always missing in my python program. The following is how I set up the connection and the utilize the auto_event. I am wondering if there is a way to intentionally delay Bro's processing of the pcap file so that the connection can be established before Bro start to process the traffic.
event bro_init() &priority=5
{
Broker::enable();
Broker::connect("127.0.0.1", broker_port, 1sec);
Broker::auto_event("bro/event/packet_get", FlowLevel::packet_get);
Broker::auto_event("bro/event/data_get", DataLevel::data_get);
}
Any help is appreciated. Thanks a lot.
Best,
Wenyu
Wenyu Ren
Ph.D. Candidate
Department of Computer Science
University of Illinois at Urbana-Champaign
You can try something like this, not sure if it will work though
event resume()
{
continue_processing();
}
event bro_init() &priority=5
{
# your existing stuff
suspend_processing();
schedule 10secs { resume() };
}
You may want to look at the suggestion I wrote up here:
http://mailman.icsi.berkeley.edu/pipermail/bro/2017-July/012355.html
Having a 'pcapdir' pktsource plugin would solve a lot of problems like this.
Here’s a solution I hacked up a couple of years back while trying to scan pcaps for indicators. I believe it’s very similar to what Justin replied with.
https://github.com/anthonykasza/scratch_pad/blob/master/input_for_pcaps/README.md
-AK
You could use the bro_done event to send a "EXIT" message to your python listener telling it that bro is done running and it should exit.
The problem with the port sounds like something is not setting SO_REUSEADDR inside broker.
Just to point out one thing to prevent future annoyance on your part -
broker is currently getting a re-write which includes changed python APIs.
The new version of Broker will be used in Bro 2.6 and the old API will no
longer work. The current state is not yet merged into master, but you can
look at topic/actor-system of the broker repository; the best point
probably are the tests in
https://github.com/bro/broker/tree/topic/actor-system/tests/python
It might be worth to take a short look at the new syntax just so that you
know how you might have to adapt things in the future.
Johanna
I just wanted to point out that the Bro unit tests themselves also use an
approach like this.
See for example
https://github.com/bro/bro/blob/master/testing/btest/scripts/policy/frameworks/intel/seen/certs.bro
Johanna
Hi Justin,
Thanks for the reply. That’s also what I planned to do. Do you have any idea what function is used at the python side to close the connection? The toy example in the test folder does not have that part included.
Thanks a lot.
Best,
Wenyu
Just exiting your while loop and letting things get garbage collected should probably work.. failing that, it would be something like epl.close() or epl.disconnect()