React based on Bro event (block/unblock connection)

I would like to send Bro data (e.g. connection) to a backend python program on some events.
I tried to use the netcontrol broker to communicate with an external
python client like ([](
But when I added event it crashed. 

Can you provide more info? e.g. exact code that you're trying. Was
it bro or the python program that crashed? Any other relevant output
or error messages?

- Jon

Hi Jone,
I modified the code many times, and couldn’t reproduce the error.
Simply I modified this to add event

I would like to add rules inside ‘connection_established()’ event rather than in netControl::init(), so python script can react based on established connection_established event.

@load base/frameworks/netcontrol
redef exit_only_after_terminate = T;

event NetControl::init()

local netcontrol_broker = NetControl::create_broker(NetControl::BrokerConfig($host=, $bport=9977/tcp, $topic="bro/event/ne$
NetControl::activate(netcontrol_broker, 0);
event NetControl::init_done() &priority=-5

print “Init done”;

drop rule goes through to

NetControl::drop_address(, 15sec, “Hi there”);
event connection_established(c: connection)

can’t receive this drop in, only it gets connectionestablished not the drop rule!!

NetControl::drop_address(, 15sec, “Hi there”);

however, I only on python client I get connection_established but not the drop rule of NetControl::drop_address

I run it like this:
bro -C -r …/traces/tls/ecdhe.pcap simple-test.bro

python │netcontrol-3-ssh-guesser.bro todo.txt
DEBUG:netcontrol.api:Set up listener for (bro/event/net│netcontrol-9-skeleton.bro weird.log
control-example) │netcontrol-9-use-skeleton.bro x509.log
DEBUG:netcontrol.api:Waiting for broker message… │netcontrol.log
DEBUG:netcontrol.api:Handling broker status message… │pi@raspberrypi:~/test_bro $
INFO:netcontrol.api:Incoming connection established │rm *.log
<ResponseType.ConnectionEstablished: 1>

Thank you,

The python program crash or give me communication established

You may be running into a common race condition where the pcap file is read before the netcontrol broker connection is initialized. There are 2 ways of going about testing this differently. The first way would be to run bro on live traffic by using -i eth0 instead of reading a pcap file. I would also change

NetControl::drop_address(, 15sec, “Hi there”);


NetControl::drop_address(c$id$resp_h, 15sec, “Hi there”);

so that for each connection bro sees it will try to drop a different address and not just each time. I believe netcontrol tracks drops internally so by dropping the same each time you would only see one broker message every 15 seconds instead of each time.

If you need to test using a pcap file you should be able to use the method that is used in the test suite:

Essentially you would add a

event bro_init()

so that bro pauses processing of the pcap traffic as soon as it starts. Then, inside NetControl::init_done you would call continue_processing(). This way the pcap is only analyzed after netcontrol is fully initialized.