6 Dec
2012
6 Dec
'12
6:55 a.m.
I'm pretty new to Bro and am just trying to understand how to go about
getting events programmatically from the sensor (10.0.0.1). Here's my test
scenario.
I see entries constantly being added to the ssl.log file. Since this is a
pretty busy file, I decide to try to register an event handler (using
ipython) to capture those events on a separate system (using the python
interface):
from broccoli import *
bc = Connection("10.0.0.1:47760")
@event
def ssl_conn_attempt(connection, version, ciphers):
print connection, version, ciphers
while True:
bc.processInput()
But I never see my callback triggered even though I see constant activity
in the ssl.log file. What am I doing wrong?
Thanks in advance!
Justin
6 Dec
6 Dec
3:51 p.m.
On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin(a)justinthomas.name> wrote:
@event
def ssl_conn_attempt(connection, version, ciphers):
Where did you get this event from? That is an old event that was removed prior to the 2.0
release. You can refer to the following link for all of our current (2.1 release)
analyzer generated events:
http://bro-ids.org/documentation/scripts/base/event.bif.html
Are you running Bro with BroControl in standalone mode too? If you run a cluster and you
only connect to your manager you won't see these events either because the protocol
events aren't being generated on the manager. It looks like you're doing the
right things in your python script though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
5:56 p.m.
From here:
http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_E…
I guess the "old" in the URL should have tipped me off. I had some trouble
finding descriptions of built-in events, so I just grabbed the first thing
that looked reasonable. I'll look over the document you linked below. I did
try using the "new_connection" event with similar results (i.e., none), so
your comment on the cluster configuration may also be a sticking point for
me.
I'll look over my configuration with that note about the manager not
generating the protocol events in mind; I'm not sure on the specifics (if I
recall correctly, I think I configured it as a cluster for future expansion
but am only running on one machine right now).
On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin(a)justinthomas.name>
wrote:
@event
def ssl_conn_attempt(connection, version, ciphers):
Where did you get this event from? That is an old event that was removed
prior to the 2.0 release. You can refer to the following link for all of
our current (2.1 release) analyzer generated events:
http://bro-ids.org/documentation/scripts/base/event.bif.html
Are you running Bro with BroControl in standalone mode too? If you run a
cluster and you only connect to your manager you won't see these events
either because the protocol events aren't being generated on the manager.
It looks like you're doing the right things in your python script though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
6:14 p.m.
It actually is configured as standalone - my mistake.
I changed my python script to:
from broccoli import *
bc = Connection("10.0.0.1:47760")
@event
def new_connection(event):
On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
From here:
http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_E…
I guess the "old" in the URL should have tipped me off. I had some trouble
finding descriptions of built-in events, so I just grabbed the first thing
that looked reasonable. I'll look over the document you linked below. I did
try using the "new_connection" event with similar results (i.e., none), so
your comment on the cluster configuration may also be a sticking point for
me.
I'll look over my configuration with that note about the manager not
generating the protocol events in mind; I'm not sure on the specifics (if I
recall correctly, I think I configured it as a cluster for future expansion
but am only running on one machine right now).
On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin(a)justinthomas.name>
wrote:
@event
def ssl_conn_attempt(connection, version, ciphers):
Where did you get this event from? That is an old event that was removed
prior to the 2.0 release. You can refer to the following link for all of
our current (2.1 release) analyzer generated events:
http://bro-ids.org/documentation/scripts/base/event.bif.html
Are you running Bro with BroControl in standalone mode too? If you run a
cluster and you only connect to your manager you won't see these events
either because the protocol events aren't being generated on the manager.
It looks like you're doing the right things in your python script though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
6:18 p.m.
Argh - no tabs in Gmail.
@event
def new_connection(connection):
print connection
while True:
bc.processInput()
...and still don't see any activity despite seeing lots of messages in
conn.log.
Any troubleshooting tips? I also know that the connection to the sensor is
being established - I'm entering the script interactively via ipython and
no errors are generated (and I see the connected socket via netstat on the
sensor).
On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
It actually is configured as standalone - my mistake.
I changed my python script to:
from broccoli import *
bc = Connection("10.0.0.1:47760")
@event
def new_connection(event):
On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
From here:
http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_E…
I guess the "old" in the URL should have tipped me off. I had some
trouble finding descriptions of built-in events, so I just grabbed the
first thing that looked reasonable. I'll look over the document you linked
below. I did try using the "new_connection" event with similar results
(i.e., none), so your comment on the cluster configuration may also be a
sticking point for me.
I'll look over my configuration with that note about the manager not
generating the protocol events in mind; I'm not sure on the specifics (if I
recall correctly, I think I configured it as a cluster for future expansion
but am only running on one machine right now).
On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin(a)justinthomas.name>
wrote:
@event
def ssl_conn_attempt(connection, version, ciphers):
Where did you get this event from? That is an old event that was
removed prior to the 2.0 release. You can refer to the following link for
all of our current (2.1 release) analyzer generated events:
http://bro-ids.org/documentation/scripts/base/event.bif.html
Are you running Bro with BroControl in standalone mode too? If you run
a cluster and you only connect to your manager you won't see these events
either because the protocol events aren't being generated on the manager.
It looks like you're doing the right things in your python script though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
10:54 p.m.
Here is a gist with my current efforts:
https://gist.github.com/4227811
I've tried all kinds of things - including adding my client node to the
"Communication::nodes" table on the bro sensor. That allowed me to see
"peerstatus" information using broctl when I connected using the Python
script, but my callback still never fired despite all kinds of connections
being logged in conn.log.
I'm not sure where to look next - I've read every example I can find. Any
tips would be helpful.
Thanks!
On Thu, Dec 6, 2012 at 9:18 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
Argh - no tabs in Gmail.
@event
def new_connection(connection):
print connection
while True:
bc.processInput()
...and still don't see any activity despite seeing lots of messages in
conn.log.
Any troubleshooting tips? I also know that the connection to the sensor is
being established - I'm entering the script interactively via ipython and
no errors are generated (and I see the connected socket via netstat on the
sensor).
On Thu, Dec 6, 2012 at 9:14 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
It actually is configured as standalone - my
mistake.
I changed my python script to:
from broccoli import *
bc = Connection("10.0.0.1:47760")
@event
def new_connection(event):
On Thu, Dec 6, 2012 at 8:56 AM, Justin Thomas <justin(a)justinthomas.name>wrote;wrote:
From here:
http://www-old.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_E…
I guess the "old" in the URL should have tipped me off. I had some
trouble finding descriptions of built-in events, so I just grabbed the
first thing that looked reasonable. I'll look over the document you linked
below. I did try using the "new_connection" event with similar results
(i.e., none), so your comment on the cluster configuration may also be a
sticking point for me.
I'll look over my configuration with that note about the manager not
generating the protocol events in mind; I'm not sure on the specifics (if I
recall correctly, I think I configured it as a cluster for future expansion
but am only running on one machine right now).
On Thu, Dec 6, 2012 at 6:51 AM, Seth Hall <seth(a)icir.org> wrote:
On Dec 6, 2012, at 12:55 AM, Justin Thomas <justin(a)justinthomas.name>
wrote:
> @event
> def ssl_conn_attempt(connection, version, ciphers):
Where did you get this event from? That is an old event that was
removed prior to the 2.0 release. You can refer to the following link for
all of our current (2.1 release) analyzer generated events:
http://bro-ids.org/documentation/scripts/base/event.bif.html
Are you running Bro with BroControl in standalone mode too? If you run
a cluster and you only connect to your manager you won't see these events
either because the protocol events aren't being generated on the manager.
It looks like you're doing the right things in your python script though.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
11:28 p.m.
Any troubleshooting tips? I also know that the
connection to the sensor is being established - I'm entering the script interactively
via ipython and no errors are generated (and I see the connected socket via netstat on the
sensor).
You could use tcpdump to see if any packets are actually sent after the connection is
made. Sometimes communication.log can have relevant information. And there's some
pybroccoli documentation at [1] if you haven't read it yet. You might also try to
get an even more minimal test to work first, like instead of using broctl, run bro from
the command line as `bro -b -i <iface> ./test.bro`.
test.bro:
@load frameworks/communication/listen
redef Communication::listen_port = 47760/tcp;
global my_event: event(cid: conn_id);
event new_connection(c: connection)
{
print "new_connection", c$id;
event my_event(c$id);
}
test.py:
#! /usr/bin/env python
from broccoli import *
conn_id = record_type("orig_h", "orig_p", "resp_h",
"resp_p")
@event(conn_id)
def my_event(cid):
print "my_event", cid
bc = Connection("127.0.0.1:47760")
while True:
bc.processInput()
And if that works, then you can try moving the event declaration/handler in to
share/bro/site/local.bro to see test.py works from your standalone broctl setup.
A couple other things about the example above:
1) For events that have record type parameters, they have to be defined in the python
script.
2) The "connection" type parameter for the "new_connection" event is
pretty complex, so I've declared "my_event" to be more deliberate in
picking out only a few fields.
Jon
[1] http://www.bro-ids.org/documentation/components/broccoli-python/README.html
11:41 p.m.
You're a miracle worker!
Instead of running it locally, I first tried just modifying site/local.bro
by adding your snippet:
global my_event: event(cid: conn_id);
event new_connection(c: connection) {
print "new_connection", c$id;
event my_event(c$id);
}
...and changing my Python script as you described below (pointing to my
sensor instead of localhost). Sure enough, it's printing all kinds of stuff
now.
I'll work with this some more to be sure I fully understand it. My working
assumption is that the lack of the proper record_type in Python was my main
hang-up.
Thanks!
On Thu, Dec 6, 2012 at 2:28 PM, Siwek, Jonathan Luke <jsiwek(a)illinois.edu>wrote;wrote:
Any troubleshooting tips? I also know that the
connection to the sensor
is being established - I'm entering the script
interactively via ipython
and no errors are generated (and I see the connected socket via netstat on
the sensor).
You could use tcpdump to see if any packets are actually sent after the
connection is made. Sometimes communication.log can have relevant
information. And there's some pybroccoli documentation at [1] if you
haven't read it yet. You might also try to get an even more minimal test
to work first, like instead of using broctl, run bro from the command line
as `bro -b -i <iface> ./test.bro`.
test.bro:
@load frameworks/communication/listen
redef Communication::listen_port = 47760/tcp;
global my_event: event(cid: conn_id);
event new_connection(c: connection)
{
print "new_connection", c$id;
event my_event(c$id);
}
test.py:
#! /usr/bin/env python
from broccoli import *
conn_id = record_type("orig_h", "orig_p", "resp_h",
"resp_p")
@event(conn_id)
def my_event(cid):
print "my_event", cid
bc = Connection("127.0.0.1:47760")
while True:
bc.processInput()
And if that works, then you can try moving the event declaration/handler
in to share/bro/site/local.bro to see test.py works from your standalone
broctl setup.
A couple other things about the example above:
1) For events that have record type parameters, they have to be defined in
the python script.
2) The "connection" type parameter for the "new_connection" event is
pretty complex, so I've declared "my_event" to be more deliberate in
picking out only a few fields.
Jon
[1]
http://www.bro-ids.org/documentation/components/broccoli-python/README.html
3458
days inactive
3458
days old
7 comments
3 participants
participants (3)
-
Justin Thomas -
Seth Hall -
Siwek, Jonathan Luke