Some events not received by broccoli

Hello,

I’m using broccoli to receive bro (2.2-5) events and are having some problems. Consider the following.

The broccoli client is listening to 2 events.
bro_event_registry_add(m_bc, “file_new”, (BroEventFunc)&Broccoli::newFile, this);
bro_event_registry_add(m_bc, “test_event”, (BroEventFunc)&Broccoli::newFile, this);

The following bro script is used.


global test_event: event(f: fa_file);
event file_new(f: fa_file)
{
event test_event(f);
}

The file_new event is correctly received by my broccoli client however the test_event is not received. If I change the content of the test_event to something else it works.


global test_event: event(f: string);
event file_new(f: fa_file)
{
event test_event(f$mime_type);
}

So, is this expected and in that case why and what is the proposed way of solving the issue?

(Also noticed that the file_state_removed(f: fa_file) event is not received by the broccoli client.)

Thank you
/Björn

Björn Samvik
Software Developer

NetClean

NetClean Technologies Sweden AB
Första Långgatan 30 – SE-413 27 Göteborg – Sweden

Phone: +46 31 719 08 00 – Fax: +46 31 13 89 50
Direct: +46 31 719 08 22 – Mobile: +46 709 36 83 03

Bjorn.Samvik@netclean.com
www.netclean.com

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

It’s somewhat of a bug in broccoli: it doesn't support receiving events that have arguments containing vector values and silently discards those that do. The reason why file_new is received, but not test_event/file_state_removed is because the fa_file record argument starts off with some optional vector fields that aren’t initialized and they later become populated by some Bro scripts before test_event/file_state_removed make it through the event queue.

I’ve patched broccoli [1] to be able to receive vectors, which should fix your problem if you want to try it. Otherwise, the workaround is to send the broccoli client simpler data types (Bro connection/fa_file/*::Info records can get complicated), perhaps picking out just pieces you need.

- Jon

[1] https://bro-tracker.atlassian.net/browse/BIT-1100

Hello

I have tested your patch and it works perfectly.

Thanks for the information and the patch.

/Björn

(DoNotAddDisclaimer)