[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] React based on Bro event (block/unblock connection)
From: "Azoff, Justin S" <jazoff () illinois ! edu>
Date: 2018-11-17 2:39:49
Message-ID: SN6PR11MB3216AA4D0CF0624EC064E937A5DE0 () SN6PR11MB3216 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]
You may be running into a common race condition where the pcap file is read before \
the netcontrol broker connection is initialized. There are 2 ways of going about \
testing this differently. The first way would be to run bro on live traffic by using \
-i eth0 instead of reading a pcap file. I would also change
NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
to
NetControl::drop_address(c$id$resp_h, 15sec, "Hi there");
so that for each connection bro sees it will try to drop a different address and not \
just 1.1.2.2 each time. I believe netcontrol tracks drops internally so by dropping \
the same 1.1.2.2 each time you would only see one broker message every 15 seconds \
instead of each time.
If you need to test using a pcap file you should be able to use the method that is \
used in the test suite: \
https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/netcontrol/broker.bro
Essentially you would add a
event bro_init()
{
suspend_processing();
}
so that bro pauses processing of the pcap traffic as soon as it starts. Then, inside \
NetControl::init_done you would call continue_processing(). This way the pcap is \
only analyzed after netcontrol is fully initialized.
________________________________
From: bro-bounces@bro.org <bro-bounces@bro.org> on behalf of Mohammed Alshaboti \
<alshaboti.it@gmail.com>
Sent: Friday, November 16, 2018 7:47:47 PM
To: jsiwek@corelight.com
Cc: Bro@bro.org
Subject: Re: [Bro] React based on Bro event (block/unblock connection)
Hi Jone,
I modified the code many times, and couldn't reproduce the error.
Simply I modified this \
https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro<https://urldefe \
nse.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_blob_master_test \
_simple-2Dtest.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3 \
j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=RuJ6dVV1LvAnLJF7Gr8UIV295b5v5ZG5q0BlWhyyROM&e=> \
to add event https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py<h \
ttps://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_bl \
ob_master_test_simple-2Dclient.py&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZ \
ag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=-G5dZDne3LT8FSfKkRWuWYrkhfhGhZFOkul383f6vzA&e=>
I would like to add rules inside 'connection_established()' event rather than in \
netControl::init(), so python script can react based on established \
connection_established event. ""
@load base/frameworks/netcontrol
redef exit_only_after_terminate = T;
event NetControl::init()
{
local netcontrol_broker = \
NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=9977/tcp, \
$topic="bro/event/ne$ NetControl::activate(netcontrol_broker, 0);
}
event NetControl::init_done() &priority=-5
{
print "Init done";
# drop rule goes through to simple-client.py
NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
}
event connection_established(c: connection)
{
# can't receive this drop in simple-client.py, only it gets connectionestablished \
not the drop rule!! NetControl::drop_address(1.1.2.2, 15sec, "Hi there");
}
""
however, I only on python client I get connection_established but not the drop rule \
of NetControl::drop_address
I run it like this:
bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro
python simple-client.py \
netcontrol-3-ssh-guesser.bro todo.txt DEBUG:netcontrol.api:Set up listener for \
127.0.0.1:9977<https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A9977&d= \
DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReah \
kLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=kRhaqblI7XVAaKhbJO8R3yisk_ipC8x0w85INov1PiY&e=> \
(bro/event/netnetcontrol-9-skeleton.bro weird.log control-example) \
netcontrol-9-use-skeleton.bro x509.log DEBUG:netcontrol.api:Waiting for broker \
message... netcontrol.log DEBUG:netcontrol.api:Handling broker \
status message... pi@raspberrypi:~/test_bro $ \
INFO:netcontrol.api:Incoming connection established rm *.log \
<ResponseType.ConnectionEstablished: 1>
Thank you,
Mohammed
The python program crash or give me communication established
On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek \
<jsiwek@corelight.com<mailto:jsiwek@corelight.com>> wrote: On Wed, Nov 14, 2018 at \
11:38 PM Mohammed Alshaboti <alshaboti.it@gmail.com<mailto:alshaboti.it@gmail.com>> \
wrote:
> I would like to send Bro data (e.g. connection) to a backend python program on some \
> events. I tried to use the netcontrol broker to communicate with an external
> python client like \
> (https://github.com/bro/bro-netcontrol/tree/master/test<https://urldefense.proofpoin \
> t.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcontrol_tree_master_test&d=DwMFaQ&c \
> =OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDm \
> dXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=9uwugavHogTI8cWBQ6wifv6D9d9yC0D5bN2vuZWYg8E&e=>
> ).
> But when I added event it crashed.
Can you provide more info? e.g. exact code that you're trying. Was
it bro or the python program that crashed? Any other relevant output
or error messages?
- Jon
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=koi8-r">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} \
--></style> </head>
<body dir="ltr">
<div id="divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" \
dir="ltr"> <p style="margin-top:0;margin-bottom:0">You may be running into a common \
race condition where the pcap file is read before the netcontrol broker \
connection is initialized. There are 2 ways of going about testing this \
differently. The first way would be to run bro on live traffic by using \
-i eth0 instead of reading a pcap file. I would also change</p> <p \
style="margin-top:0;margin-bottom:0"><br> </p>
<p style="margin-top:0;margin-bottom:0"></p>
<div style="color: rgb(33, 33, 33); font-family: wf_segoe-ui_normal, "Segoe \
UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; \
font-size: 15px;"> NetControl::drop_address(1.1.2.2, 15sec, "Hi \
there");</div> <div><br>
</div>
<div>to</div>
<div><br>
</div>
<div>
<div style="color: rgb(33, 33, 33); font-family: wf_segoe-ui_normal, "Segoe \
UI", "Segoe WP", Tahoma, Arial, sans-serif, serif, EmojiFont; \
font-size: 15px;"> NetControl::drop_address(c$id$resp_h, 15sec, "Hi \
there");</div> <div><br>
</div>
<div>so that for each connection bro sees it will try to drop a different \
address and not just 1.1.2.2 each time. I believe netcontrol tracks drops \
internally so by dropping the same 1.1.2.2 each time you would only see one broker \
message every 15 seconds instead of each time.</div>
<div><br>
</div>
<div><br>
</div>
<div>If you need to test using a pcap file you should be able to use the \
method that is used in the test suite: <a \
href="https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/netcontrol/broker.bro" \
class="OWAAutoLink" id="LPlnk762547" \
previewremoved="true">https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/netcontrol/broker.bro</a></div>
<div><br>
</div>
<div>Essentially you would add a</div>
<div><br>
</div>
<div>
<div>event bro_init()</div>
<div><span style="white-space:pre"></span>{</div>
<div><span style="white-space:pre"></span>suspend_processing();</div>
<div><span style="white-space:pre"></span>}</div>
<br>
</div>
<div>so that bro pauses processing of the pcap traffic as soon as it starts. \
Then, inside <span>NetControl::init_done you would call </span><span \
style="font-size: 12pt;">continue_processing(). This way the pcap is only \
analyzed after netcontrol is fully initialized.</span><span>
<div><br>
</div>
</span></div>
<br>
</div>
<p></p>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" \
style="font-size:11pt" color="#000000"><b>From:</b> bro-bounces@bro.org \
<bro-bounces@bro.org> on behalf of Mohammed Alshaboti \
<alshaboti.it@gmail.com><br> <b>Sent:</b> Friday, November 16, 2018 7:47:47 \
PM<br> <b>To:</b> jsiwek@corelight.com<br>
<b>Cc:</b> Bro@bro.org<br>
<b>Subject:</b> Re: [Bro] React based on Bro event (block/unblock connection)</font>
<div> </div>
</div>
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">Hi Jone,
<div>I modified the code many times, and couldn't reproduce the error. </div>
<div>Simply I modified this <a \
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcon \
trol_blob_master_test_simple-2Dtest.bro&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E \
3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QY \
P6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=RuJ6dVV1LvAnLJF7Gr8UIV295b5v5ZG5q0BlWhyyROM&e=" \
target="_blank">https://github.com/bro/bro-netcontrol/blob/master/test/simple-test.bro</a> to
add event </div>
<div><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro- \
2Dnetcontrol_blob_master_test_simple-2Dclient.py&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4f \
F3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa- \
1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=-G5dZDne3LT8FSfKkRWuWYrkhfhGhZFOkul383f6vzA&e=" \
target="_blank">https://github.com/bro/bro-netcontrol/blob/master/test/simple-client.py</a><br>
</div>
<div><br>
</div>
<div>I would like to add rules inside 'connection_established()' event rather \
than in netControl::init(), so python script can react based on established \
connection_established event. </div> <div>""</div>
<div>
<div>@load base/frameworks/netcontrol</div>
<div>redef exit_only_after_terminate = T;<br>
</div>
<div>event NetControl::init()<br>
</div>
<div> {</div>
<div> local netcontrol_broker = \
NetControl::create_broker(NetControl::BrokerConfig($host=127.0.0.1, $bport=9977/tcp, \
$topic="bro/event/ne$</div> <div> \
NetControl::activate(netcontrol_broker, 0);</div> <div> \
}</div> <div>event NetControl::init_done() &priority=-5<br>
</div>
<div> {</div>
<div> print "Init done";</div>
<div> # drop rule goes through to simple-client.py</div>
<div> NetControl::drop_address(1.1.2.2, 15sec, "Hi \
there");</div> <div> }</div>
<div>event connection_established(c: connection)</div>
<div> {</div>
<div> # can't receive this drop in simple-client.py, only it gets \
connectionestablished not the drop rule!!</div> <div> \
NetControl::drop_address(1.1.2.2, 15sec, "Hi there");</div> <div> \
}</div> </div>
<div>"" </div>
<div>however, I only on python client I get connection_established but not the drop \
rule of NetControl::drop_address</div> <div><br>
</div>
<div>I run it like this: </div>
<div>bro -C -r ../traces/tls/ecdhe.pcap simple-test.bro<br>
</div>
<div><br>
</div>
<div>
<div>python simple-client.py \
\
netcontrol-3-ssh-guesser.bro \
todo.txt</div> <div>DEBUG:netcontrol.api:Set up listener for <a \
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__127.0.0.1-3A9977&d=DwMFa \
Q&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvR \
eahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=kRhaqblI7XVAaKhbJO8R3yisk_ipC8x0w85INov1PiY&e=">
127.0.0.1:9977</a> (bro/event/netnetcontrol-9-skeleton.bro \
weird.log</div> <div>control-example) \
\
\
netcontrol-9-use-skeleton.bro x509.log</div> \
<div>DEBUG:netcontrol.api:Waiting for broker message... \
netcontrol.log</div> \
<div>DEBUG:netcontrol.api:Handling broker status message... \
pi@raspberrypi:~/test_bro $</div> \
<div>INFO:netcontrol.api:Incoming connection established \
rm *.log</div> \
<div><ResponseType.ConnectionEstablished: 1> </div> </div>
<div><br>
</div>
<div>Thank you, </div>
<div>Mohammed</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<div>The python program crash or give me communication established </div>
</div>
<div dir="ltr">
<div><br>
<div class="x_gmail_quote">
<div dir="ltr">On Fri, Nov 16, 2018 at 6:02 AM Jon Siwek <<a \
href="mailto:jsiwek@corelight.com" target="_blank">jsiwek@corelight.com</a>> \
wrote:<br> </div>
<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px \
solid rgb(204,204,204); padding-left:1ex"> On Wed, Nov 14, 2018 at 11:38 PM Mohammed \
Alshaboti<br> <<a href="mailto:alshaboti.it@gmail.com" \
target="_blank">alshaboti.it@gmail.com</a>> wrote:<br> <br>
> I would like to send Bro data (e.g. connection) to a backend python program on \
some events.<br> > I tried to use the netcontrol broker to communicate with an \
external<br> > python client like (<a \
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_bro_bro-2Dnetcon \
trol_tree_master_test&d=DwMFaQ&c=OCIEmEwdEq_aNlsP4fF3gFqSN-E3mlr2t9JcDdfOZag&a \
mp;r=JB1gr8Q2U3j_GvRbWa2WDpXSSrvReahkLBFDmdXlCh0&m=KEa-1-nZ6w_QYP6Aa8AwgNIGKGoLVgQvWco4qasKkOU&s=9uwugavHogTI8cWBQ6wifv6D9d9yC0D5bN2vuZWYg8E&e=" \
rel="noreferrer" target="_blank">https://github.com/bro/bro-netcontrol/tree/master/test</a><br>
> ).<br>
> But when I added event it crashed.<br>
<br>
Can you provide more info? e.g. exact code that you're trying. Was<br>
it bro or the python program that crashed? Any other relevant output<br>
or error messages?<br>
<br>
- Jon<br>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--===============0417389468==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic