Problem with Broccoli connection

Hello,

I'm just getting up to speed on Bro and Broccoli in an attempt to port some of our existing sensors to the Bro environment. I've been trying to connect unsuccessfully to a Bro server using the Barnyard2 alert_bro mechanism. The initial connection fails with a "Could not connect to Bro!" message. I attempted the same connection using py-broccoli and I get an IOError message. I've modified the local.bro script to contain:

@load policy/frameworks/communication/listen
redef Communication::listen_port = 47757/tcp;
@load policy/integration/barnyard2
redef Communication::nodes += {
  ["local"] = [$host=127.0.0.1, $class="barnyard",$events=/Barnyard2:barnyard_alert/,$connect=F]
  };

From examining the spo_alert_bro.c code in a debugger, it seems that the socket call in try_connect in the broccoli bro_openssl.c is failing.

Is my local.bro code correct? It seems that Bro is not accepting Broccoli connections.

Any help would be greatly appreciated.

Thanks,
Dan

You need two commas in that event name. Sorry I didn't get that integration done in the Barnyard2 integration scripts already, I really should have.

  .Seth

Arg! Two colons. You could even just use /Barnyard2::.*/

  .Seth

Seth,

Thanks for the quick reply. Turns out that the missing colon was just a transcription error in hand copying the code to my email computer. The original had two colons. The problem seems to be that the instance of Bro never sees the connection from Broccoli. There's no indication in the logs that the connection was attempted and the barnyard2 instance dies with the message:

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/home/dwyschogrod/suricata-local/etc/barnyard2.conf"
Log directory = /home/dwyschogrod/suricata-local/logs
alert_bro Connecting to Bro (127.0.0.1:12345)...ERROR: failed!
Could not connect to Bro!
Fatal Error, Quitting..

The latest version of my local.bro code (I've changed the listen_port):

@load policy/frameworks/communication/listen
redef Communication::listen_port = 12345/tcp;
#redef Communication::listen_interface = 127.0.0.1;
redef Communication::listen_ssl = F;
@load policy/integration/barnyard2
redef Communication::nodes += {
        ["local"] = [$host=127.0.0.1, $class="barnyard", $events=/Barnyard2::.*/, $connect = F, $ssl = F]
    };

Thanks again for the help.

Dan

Seth,

I think I've tracked down the problem, but it leads to another mystery. In my local.bro file, as I've pointed out, I have inserted the line:

redef Communication::listen_port = 12345/tcp;

In the barnyard2.conf file, I've added:

output alert_bro: 127.0.0.1:12345

I'm expecting, of course, a connection on port 12345. However, when I did a "netstat -l", I discovered that the bro process was listening on port 47760! The output from netstat -l was:

tcp 0 0 0.0.0.0:47760 0.0.0.0:* LISTEN 6326/bro

When I changed the barnyard2.conf to:

output alert_bro: 127.0.0.1:47760

the connection took place as expected. In addition, py-broccoli makes the connection as well when i use:
Connection("127.0.0.1:47760")

On further investigation, I found that a bro file was generated in spool/installed-scripts-do-not-touch/auto called standalone-layout.bro. Its content is:

# Automatically generated. Do not edit.
redef Communication::listen_port = 47760/tcp;
redef Communication::nodes += {
        ["control"] = [$host=127.0.0.1, $zone_id="", $class="control", $events=Control::controller_events],
};

The 47760 port is the same in the standalone-layout.bro no matter what I set the listen_port to in local.bro. Where does the 47760 port come from and what can I do to use a different port?

Thanks again,
Dan

Oh, are you running this through BroControl? BroControl configures the communication framework for you. All you need to do is add another value to the Communication::nodes variable with the events to listen to.

redef Communication::nodes += {
       ["barnyard2"] = [$host=127.0.0.1, $class="Barnyard2", $events=/Barnyard2::.*/],
};

You *should* now be able to connect to the process, but you'll have to connect on port 47760/tcp. Is there a particular reason that you want to change that? You can't really do that in any BroControl deployment at the moment, and the communication code only can listen on a single port per Bro process.

This is a somewhat undefined area of operation because there hasn't been a lot of work to integrated external applications on clusters like this yet.

  .Seth

Seth,

Thanks for clarifying that. I can certainly live with port 47760 now that I know that it's the "official" port. It probably would be a good idea to add to the documentation that BroControl uses this port, though I might have missed it.

Going forward, we hope to contribute some of our work with external sensors.

Thanks again for your help.

Dan

Going forward, we hope to contribute some of our work with external sensors.

Just to bring it to your attention, I did do a patch [1] to the Barnyard2 output plugin for Bro that fixed some bugs, but it doesn't look like it's in a release yet. So if you run in to more issues, that might be your answer (or your problem).

    Jon