Similarly to many other software packages, the Broccoli distribution provides a script that you can use to obtain details about your Broccoli setup. The script currently provides the following flags:
--build prints the name of the machine the build was made on, when, and whether debugging support was enabled or not.
--prefix prints the directory in the filesystem below which Broccoli was installed.
--version prints the version of the distribution you have installed.
--libs prints the flags to pass to the linker in order to link in the Broccoli library.
--cflags prints the flags to pass to the compiler in order to properly include Broccoli's header file.
--config prints the location of the system-wide config file your installation will use.
The --cflags and --libs flags are the suggested way of obtaining the necessary information for integrating Broccoli into your build environment. It is generally recommended to use broccoli-config for this purpose, rather than, say, develop new autoconf tests. If you use the autoconf/automake tools, we recommend something along the following lines for your configure script:
dnl ################################################## dnl # Check for Broccoli dnl ################################################## AC_ARG_WITH(broccoli-config, AC_HELP_STRING([--with-broccoli-config=FILE], [Use given broccoli-config]), [ brocfg="$withval" ], [ AC_PATH_GENERIC(broccoli,, brocfg="broccoli-config", AC_MSG_ERROR(Cannot find Broccoli: Is broccoli-config in path? Use more fertilizer?)) ]) broccoli_libs=`$brocfg --libs` broccoli_cflags=`$brocfg --cflags` AC_SUBST(broccoli_libs) AC_SUBST(broccoli_cflags) |
You can then use the compiler/linker flags in your Makefile.in/ams by substituting in the values accordingly, which might look as follows:
CFLAGS = -W -Wall -g -DFOOBAR @broccoli_cflags@ LDFLAGS = -L/usr/lib/foobar @broccoli_libs@ |
Often you will want to make existing applications Bro-aware,
that is, instrument them so that they can send and
receive Bro events at appropriate moments in the execution flow.
This will involve modifying an existing code tree, so care needs to
be taken to avoid unwanted side effects. By protecting the instrumented
code with
#ifdef
/#endif
statements you can still build the original application, using the
instrumented source tree. The broccoli-config script helps you in doing so because
it already adds -DBROCCOLI
to the compiler flags
reported when run with the --cflags option:
cpk25@localhost:/home/cpk25 > broccoli-config --cflags -I/usr/local/include -I/usr/local/include -DBROCCOLI |
So simply surround all inserted code with a preprocessor check
for BROCCOLI
and you will be able to
build the original application as soon as BROCCOLI
is not defined.
Time for some code. In the code snippets below we will introduce variables whenever context requires them and not necessarily when C requires them. The library does not require calling a global initialization function. In order to make the API known, include broccoli.h:
#ifdef BROCCOLI #include <broccoli.h> #endif |
![]() | A note on Broccoli's memory management philosophy: Broccoli generally does not release objects you allocate. The approach taken is "you clean up what you allocate." |
Broccoli requires global initialization before most of its other other functions can be used. Generally, the way to initialize Broccoli is as follows:
bro_init(NULL); |
The argument to
bro_init()
NULL
for normal use. If required, you may
allocate a BroCtx structure locally,
initialize it using
bro_ctx_init()
bro_init()
BroCtx ctx; bro_ctx_init(&ctx); /* Make adjustments to the context structure as required... */ bro_init(&ctx); |
![]() | The BroCtx structure currently contains a set of five different callback function pointers. These are required for thread-safe operation of OpenSSL (Broccoli itself is thread-safe). If you intend to use Broccoli in a multithreaded environment, you need to implement functions and register them via the BroCtx structure. The O'Reilly book "Network Security with OpenSSL" by Viega et al. shows how to implement these callbacks. |
![]() | You must call
|
Broccoli declares a number of data types in broccoli.h that you should know about. The more complex ones are kept opaque, while you do get access to the fields in the simpler ones. The full list is as follows:
Simple signed and unsigned types: int, uint, uint32, uint16 and uchar.
Connection handles: BroConn, kept opaque.
Bro events: BroEvent, kept opaque.
Buffer objects: BroBuf, kept opaque. See the separate
Ports: BroPort for network ports, defined as follows:
typedef struct bro_port { uint16 port_num; /* port number in host byte order */ int port_proto; /* IPPROTO_xxx */ } BroPort; |
Records: BroRecord, kept opaque. See the separate
Strings (character and binary): BroString, defined as follows:
typedef struct bro_string { int str_len; char *str_val; } BroString; |
BroStrings are mostly kept transparent for convenience; please have a look at the
string API:
bro_string_init()
bro_string_set()
bro_string_set_data()
bro_string_copy()
bro_string_cleanup()
bro_string_free()
Tables: BroTable, kept opaque. See the separate
Sets: BroSet, kept opaque. See the separate
Subnets: BroSubnet, defined as follows:
typedef struct bro_subnet { uint32 sn_net; /* IP address in network byte order */ uint32 sn_width; /* Length of prefix to consider. */ } BroSubnet; |
You can use Broccoli to establish a connection to a remote Bro, or to create a Broccoli-enabled server application that other Bros will connect to. (This means that in principle, you can also use Broccoli purely as middleware and have multiple Broccoli applications communicate directly.)
In order to establish a connection to a remote Bro, you first obtain a connection
handle. You then use this connection handle to request events, connect to the
remote Bro, send events, etc. Connection handles are pointers to BroConn
structures, which are kept opaque. Use
bro_conn_new()
bro_conn_new_str()
To write a Broccoli-enabled server, you first need to implement the usual
socket()
/ bind()
/
listen()
/ accept()
routine.
Once you have obtained a file descriptor for the new connection from accept()
,
you pass it to the third function that returns a BroConn
handle,
bro_conn_new_socket()
All three calls accept additional flags for fine-tuning connection behaviour. These flags are:
BRO_CFLAG_NONE
: no functionality. Use when
no flags are desired.
BRO_CFLAG_RECONNECT
:
When using this option, Broccoli will attempt to reconnect to the peer
after lost connectivity transparently. Essentially whenever you try to
read from or write to the peer and its connection broke down, a
full reconnect including complete handshaking is attempted. You can check
whether the connection to a peer is alive at any time using
bro_conn_alive()
BRO_CFLAG_ALWAYS_QUEUE
:
When using this option, Broccoli will queue any events you send for
later transmission when a connection is currently down. Without using this
flag, any events you attempt to send while a connection is down get dropped
on the floor. Note that Broccoli maintains a maximum queue size per connection
so if you attempt to send lots of events while the connection is down, the
oldest events may start to get dropped nonetheless. Again, you can check
whether the connection is currently okay by using
bro_conn_alive()
BRO_CFLAG_DONTCACHE
:
When using this option, Broccoli will ask the peer not to use caching on
the objects it sends to us. This is the default, and the flag need not
normally be used. It is kept to maintain backward compatibility.
BRO_CFLAG_CACHE
:
When using this option, Broccoli will ask the peer to use caching on
the objects it sends to us. Caching is normally disabled.
BRO_CFLAG_YIELD
: When
using this option,
bro_conn_process_input()
processes at most one event at a time and then
returns.
By obtaining a connection handle, you do not also establish a connection right
away. This is done using
bro_conn_connect()
bro_event_registry_add()
bro_conn_connect()
Finally, bro_conn_delete()
bro_conn_get_fd()
char host_str = "bro.yourorganization.com"; int port = 1234; struct hostent *host; BroConn *bc; if (! (host = gethostbyname(host_str)) || ! (host->h_addr_list[0])) { /* Error handling -- could not resolve host */ } /* In this example, we obtain a connection handle, then register event handlers, * and finally connect to the remote Bro. * * First obtain a connection handle: */ if (! (bc = bro_conn_new((struct in_addr*) host->h_addr_list[0], htons(port), BRO_CFLAG_NONE))) { /* Error handling - could not get connection handle */ } /* Register event handlers: */ bro_event_registry_add(bc, "foo", bro_foo_handler, NULL); /* ... */ /* Now connect to the peer: */ if (! bro_conn_connect(bc)) { /* Error handling - could not connect to remote Bro. */ } /* Send and receive events ... */ /* Disconnect from Bro and clean up connection */ bro_conn_delete(bc); |
Or simply use the string-based version:
char host_str = "bro.yourcompany.com:1234"; BroConn *bc; /* In this example we don't request any events from the peer, but * we ask it not to use the serialization cache. * * Again, first obtain a connection handle: */ if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) { /* Error handling - could not get connection handle */ } /* Now connect to the peer: */ if (! bro_conn_connect(bc)) { /* Error handling - could not connect to remote Bro. */ } /* ... */ |
When you want to establish connections from multiple Broccoli applications with different purposes, the peer needs a means to understand what kind of application each connection belongs to. The real meaning of "kind of application" here is "sets of event types to request", because depending on the class of an application, the peer will likey want to receive different types of events.
Broccoli lets you set the class of a connection using
bro_conn_set_class()
bro_conn_connect()
if (! (bc = bro_conn_new_str(host_str, BRO_CFLAG_DONTCACHE))) { /* Error handling - could not get connection handle */ } /* Set class of this connection: */ bro_conn_set_class(bc, "syslog"); if (! bro_conn_connect(bc)) { /* Error handling - could not connect to remote Bro. */ } |
If your peer is a Bro node, you need to match the chosen connection class in
the remote Bro's Remote::destinations
configuration.
See bro_conn_get_peer_class()
In order to send an event to the remote Bro agent, you first create an empty event structure with the name of the event, then add parameters to pass to the event handler at the remote agent, and then send off the event.
![]() | Bro peers ignore unrequested events. You need to make sure that the remote Bro agent is interested in receiving
the events you send. This interest is expressed in policy configuration.
We'll explain this in more detail |
Let's assume we want to request a report of all connections a remote
Bro currently keeps state for that match a given destination port and
host name and that have amassed more than a certain number of bytes.
The idea is to send an event to the remote Bro that contains the
query, identifiable through a request ID, and have the remote Bro
answer us with remote_conn
events
containing the information we asked for. The definition of our
requesting event could look as follows in the Bro policy:
event report_conns(req_id: int, dest_host: string, dest_port: port, min_size: count); |
First, create a new event:
BroEvent *ev; if (! (ev = bro_event_new("report_conns"))) { /* Error handling - could not allocate new event. */ } |
Now we need to add parameters to the event. The sequence and types must
match the event handler declaration check the Bro policy to make
sure they match. The function to use for adding parameter values is
bro_event_add_val()
Knowing these, we can now compose a
request_connections
event:
BroString dest_host; BroPort dest_port; uint32 min_size; int req_id = 0; bro_event_add_val(ev, BRO_TYPE_INT, NULL, &req_id); req_id++; bro_string_set(&dest_host, "desthost.destdomain.com"); bro_event_add_val(ev, BRO_TYPE_STRING, NULL, &dest_host); bro_string_cleanup(&dest_host); dest_port.dst_port = 80; dest_port.dst_proto = IPPROTO_TCP; bro_event_add_val(ev, BRO_TYPE_PORT, NULL, &dest_port); min_size = 1000; bro_event_add_val(ev, BRO_TYPE_COUNT, NULL, &min_size); |
The third argument to
bro_event_add_val()
BRO_TYPE_ENUM
. You currently
cannot define
a Bro-level enum type in Broccoli, and thus when sending an enum value, you
have to specify the type of the enum along with the value. For example, in order
to add an instance of enum transport_type
defined in
Bro's bro.init, you would use
int transport_proto = 2; /* ... */ bro_event_add_val(ev, BRO_TYPE_ENUM, "transport_proto", &transport_proto); |
bro_event_set_val()
bro_record_add_val()
bro_record_set_nth_val()
bro_record_set_named_val()
All that's left to do now is to send off the event. For this, use
bro_event_send()
TRUE
when the event could be sent right away or if
it was queued for later delivery. FALSE
is returned
on error. If the event get queued, this does not indicate an error
likely the connection was just not
ready to send the event at this point. Whenever you call
bro_event_send()
bro_event_send(bc, ev); bro_event_free(ev); |
Two other functions may be useful to you:
bro_event_queue_length()
bro_event_queue_flush()
Receiving events is a little more work because you need to
tell Broccoli what to do when requested events arrive,
let the remote Bro agent know that you would like to receive those events,
find a spot in the code path suitable for extracting and processing arriving events.
Each of these steps is explained in the following sections.
When Broccoli receives an event, it tries to dispatch the event to callbacks registered for that event type. The place where callbacks get registered is called the callback registry. Any callbacks registered for the arriving event's name are invoked with the parameters shipped with the event. There are two styles of argument passing to the event callbacks. Which one is better suited depends on your application.
Expanded argument passing. Each event argument is passed via a pointer to the callback. This makes best sense when you know the type of the event and of its arguments, because it provides you immediate access to arguments as when using a normal C function.
In order to register a callback with expanded argument passing, use
bro_event_registry_add()
NULL
) you want to see passed to the callback on
each invocation. The callback's type is defined rather generically as follows:
typedef void (*BroEventFunc) (BroConn *bc, void *user_data, ...); |
It requires a connection handle as its first argument
and a pointer to user-provided callback data as the second argument.
Broccoli will pass the connection handle of the connection on which the event
arrived through to the callback. BroEventFunc
s
are variadic, because each callback you provide is directly invoked with
pointers to the parameters of the event, in a format directly usable in C.
All you need to know is what type to point to in order to receive the
parameters in the right layout. Refer to
![]() | Note that all parameters are passed to the
callback as pointers, even elementary types such as |
Continuing our example, we will want to process the connection reports
that contain the responses to our report_conns
event. Let's assume those look as follows:
event remote_conn(req_id: int, conn: connection); |
The reply events contain the request ID so we can associate requests with replies, and a connection record (defined in bro.init in Bro. (It'd be nicer to report all replies in a single event but we'll ignore that for now.) For this event, our callback would look like this:
void remote_conn_cb(BroConn *bc, void *user_data, int *req_id, BroRecord *conn); |
Once more, you clean up what you allocate, and since you never allocated the
space these arguments point to, you also don't clean them up. Finally, we register
the callback using
bro_event_registry_add()
bro_event_registry_add(bc, "remote_conn", remote_conn_cb, NULL); |
In this case we have no additional data to be passed into the
callback, so we use NULL
for the last argument.
If you have multiple events you are interested in, register
each one in this fashion.
Compact argument passing. This is designed for
situations when you have to determine how to handle different types of
events at runtime, for example when writing language bindings or when
implementing generic event handlers for multiple event types.
The callback is passed a connection handle and the
user data as above but is only passed one additional pointer, to a
BroEvMeta structure. This structure contains all metadata
about the event, including its name, timestamp (in UTC) of creation,
number of arguments, the arguments'
types (via type tags as listed in
In order to register a callback with compact argument passing, use
bro_event_registry_add_compact()
bro_event_registry_add()
typedef void (*BroCompactEventFunc) (BroConn *bc, void *user_data, BroEvMeta *meta); |
![]() | As before, Broccoli manages the lifecycle of event parameters. You do not have to clean up the BroEvMeta structure or any of its contents. |
Below is sample code for extracting the arguments form the BroEvMeta structure, using our running example. This is still written with the assumption that we know the types of the arguments, but note that this is not a requirement for this style of callback.
void remote_conn_cb(BroConn *bc, void *user_data, BroEvMeta *meta) { int *req_id; BroRecord *rec; /* For demonstration, print out the event's name: */ printf("Handling a %s event.\n", meta->ev_name); /* Sanity-check the number of arguments: */ if (meta->ev_numargs != 2) { /* error */ } /* Sanity-check the argument types: */ if (meta->ev_args[0].arg_type != BRO_TYPE_INT) { /* error */ } if (meta->ev_args[1].arg_type != BRO_TYPE_RECORD) { /* error */ } req_id = (int *) meta->ev_args[0].arg_data; rec = (BroRecord *) meta->ev_args[1].arg_data; /* ... */ } |
Finally, register the callback using
bro_event_registry_add_compact()
bro_event_registry_add_compact(bc, "remote_conn", remote_conn_cb, NULL); |
At this point, Broccoli knows what to do with the requested events upon
arrival. What's left to do is to let the remote Bro know that you
would like to receive the events for which you registered. If you haven't
yet called bro_conn_connect()
bro_event_registry_request()
bro_event_registry_request(bc); |
This mechanism also implies that no unrequested events will be delivered to us (and if that happened for whatever reason, the event would simply be dropped on the floor).
![]() | Note that at the moment you cannot unrequest events, nor can you request events based on predicates on the values of the events' arguments. |
At this point the remote Bro will start sending you the requested events once they are triggered. What is left to do is to read the arriving events from the connection and trigger dispatching them to the registered callbacks.
If you are writing a new Bro-enabled application, this is easy, and you can
choose among two approaches: polling explicitly via Broccoli's API, or using
select()
on the file handle associated with a BroConn.
The former case is particularly straightforward; all you need to do is
call
bro_conn_process_input()
bro_conn_get_fd()
FD_SET
/select()
code. Once you have determined that data in fact are ready to be read from
the obtained file descriptor, you can then try another
bro_conn_process_input()
As a side note, if you don't process arriving events frequently enough, then TCP's flow control will start to slow down the sender until eventually events will queue up and be dropped at the sending end.
Broccoli supports record structures, i.e., types that pack a set of values together, placing each value into its own field. In Broccoli, the way you handle records is somewhat similar to events: after creating an empty record (of opaque type BroRecord, you can iteratively add fields and values to it. The main difference is that you must specify a field name with the value; each value in a record can be identified both by position (a numerical index starting from zero), and by field name. You can retrieve vals in a record by field index or field name. You can also reassign values. There is no explicit, IDL-style definition of record types. You define the type of a record implicitly by the sequence of field names and the sequence of the types of the values you put into the record.
Note that all fields in a record must be assigned before it can be shipped.
The API for record composition consists of
bro_record_new()
bro_record_free()
bro_record_add_val()
bro_record_set_nth_val()
bro_record_set_named_val()
On records that use field names, the names of individual fields can be extracted using
bro_record_get_nth_name()
bro_record_get_nth_val()
bro_record_get_named_val()
NULL
. The pointer, if not
NULL
, serves two purposes: type checking and type retrieval.
Type checking is performed if the value of the int upon calling the
functions is not BRO_TYPE_UNKNOWN. The type tag of the requested record
field then has to match the type tag stored in the int, otherwise
NULL
is returned. If the int stores BRO_TYPE_UNKNOWN
upon calling, no type-checking is performed. In both cases,
the actual type of the
requested record field is returned in the int pointed to upon
return from the function. Since you have no guarantees of the type of the value
upon return if you pass NULL
as the int pointer,
this is a bad idea and either BRO_TYPE_UNKNOWN or another type value
should always be used.
For example, you could extract the value of the record field "label", which we assume should be a string, in the following ways:
BroRecord *rec = /* obtained somehow */ BroString *string; int type; /* --- Example 1 --- */ type = BRO_TYPE_STRING; /* Use type-checking, will not accept other type */ if (! (string = bro_record_get_named_val(rec, "label", &type))) { /* Error handling, either there's no field of that value, * or the value is not of BRO_TYPE_STRING. The actual * type is now stored in "type". */ } /* --- Example 2 --- */ type = BRO_TYPE_UNKNOWN; /* No type checking, just report the existant type */ if (! (string = bro_record_get_named_val(rec, "label", &type))) { /* Error handling, no field of that name exists. */ } printf("The type of the value in field 'label' is %i\n", type); /* --- Example 3 --- */ if (! (string = bro_record_get_named_val(rec, "label", NULL))) { /* Error handling, no field of that name exists. */ } /* We now have a value, but we can't really be sure of its type */ |
Record fields can be records, for example in the case of Bro's standard
connection record type. In this case, in order to get to a nested record, you
use BRO_TYPE_RECORD
:
void remote_conn_cb(BroConn *bc, int *req_id, BroRecord *conn) { BroRecord *conn_id; int type = BRO_TYPE_RECORD; if (! (conn_id = bro_record_get_named_val(conn, "id", &type))) { /* Error handling */ } } |
Broccoli supports Bro-style tables, i.e., associative containers that map instances of a key type to an instance of a value type. A given key can only ever point to a single value. The key type can be composite, i.e., it may consist of an ordered sequence ofdifferent types, or it can be direct, i.e., consisting of a single type (such as an integer, a string, or a record).
The API for table manipulation consists of
bro_table_new()
bro_table_free()
bro_table_insert()
bro_table_find()
bro_table_get_size()
bro_table_get_types()
bro_table_foreach()
Tables are handled similarly to records in that typing is determined
dynamically by the initial key/value pair inserted. The resulting types
can be obtained via
bro_table_get_types()
BRO_TYPE_UNKNOWN
will result. Also, as with records,
values inserted into the table are copied internally, and the ones passed
to the insertion functions remain unaffected.
In contrast to records, table entries can be iterated. By passing a function
of signature
BroTableCallback()
bro_table_foreach()
TRUE
to keep the iteration going, or FALSE
to stop it.
![]() | The main thing to know about Broccoli's tables is how to use composite key
types. To avoid additional API calls, you may treat composite key types
exactly as records, though you do not need to use field names when assigning
elements to individual fields. So in order to insert a key/value pair, you
create a record with the needed items assigned to its slots, and use this
record as the key object. In order to differentiate composite index types
from direct ones consisting of a single record, use |
brotable.c in the test subdirectory of the Broccoli tree contains an extensive example of using tables with composite as well as direct indexing types.
Sets are essentially tables with void value types.
The API for set manipulation consists of
bro_set_new()
bro_set_free()
bro_set_insert()
bro_set_find()
bro_set_get_size()
bro_set_get_type()
bro_set_foreach()
You will often find that you would like to connect data with
a BroConn. Broccoli provides an API that
lets you associate data items with a connection handle through
a string-based keyvalue registry. The functions of interest
are
bro_conn_data_set()
bro_conn_data_get()
bro_conn_data_del()
bro_disconnect()
Imagine you have instrumented the mother of all server applications. Building it takes forever, and every now and then you need to change some of the parameters that your Broccoli code uses, such as the host names of the Bro agents to talk to. To allow you to do this quickly, Broccoli comes with support for configuration files. All you need to do is change the settings in the file and restart the application (we're considering adding support for volatile configuration items that are read from the file every time they are requested).
A configuration is read from a single configuration file. This file can be read from two different locations:
The system-wide configuration file. You can obtain the location of this config file by running broccoli-config --config.
Alternatively, a per-user configuration file stored in ~/.broccoli.conf can be used.
![]() | ~/.broccoli.conf will only be used if
it is a regular file, not executable, and neither group nor others have
any permissions on the file. That is, the file's permissions must look
like |
In the configuration file, a "#" anywhere starts a comment that runs to the end of the line. Configuration items are specified as key-value pairs:
# This is the Broccoli system-wide configuration file. # # Entries are of the form <identifier> <value>, where the identifier # is a sequence of letters, and value can be a string (including # whitespace), and floating point or integer numbers. Comments start # with a "#" and go to the end of the line. For boolean values, you # may also use "yes", "on", "true", "no", "off", or "false". # Strings may contain whitespace, but need to be surrounded by # double quotes '"'. # # Examples: # Foo/PeerName mybro.securesite.com Foo/PortNum 123 Bar/SomeFloat 1.23443543 Bar/SomeLongStr "Hello World" |
You can also have multiple sections in your configuration. Your application can select a section as the current one, and queries for configuration settings will then only be answered with values specified in that section. A section is started by putting its name (no whitespace please) between square brackets. Configuration items positioned before the first section title are in the default domain and will be used by default.
# This section contains all settings for myapp. [ myapp ] |
You can name identifiers any way you like, but to keep things
organized it is recommended to keep a namespace hierarchy similar
to the file system. In the code, you can query configuration
items using
bro_conf_get_str()
bro_conf_get_int()
bro_conf_get_dbl()
bro_conf_set_domain()
Broccoli provides an API for dynamically allocatable, growable, shrinkable,
and consumable buffers with BroBuf
s. You may or may
not find this useful Broccoli mainly provides this feature in
broccoli.h because these buffers are used internally
anyway and because they are typical case of something that people implement
themselves over and over again, for example to collect a set of data before
sending it through a file descriptor, etc.
The buffers work as follows. The structure implementing a buffer is
called BroBuf. BroBufs are initialized to a default size when created via
bro_buf_new()
bro_buf_free()
bro_buf_append()
<---------------- allocated buffer space ------------> <======== used buffer space ========> ^ ^ ^ ^ | | | | `buf `buf_ptr `buf_off `buf_len |
Have a look at the following functions for the details:
bro_buf_new()
bro_buf_free()
bro_buf_append()
bro_buf_consume()
bro_buf_reset()
bro_buf_get()
bro_buf_get_end()
bro_buf_get_size()
bro_buf_get_used_size()
bro_buf_ptr_get()
bro_buf_ptr_tell()
bro_buf_ptr_seek()
bro_buf_ptr_check()
bro_buf_ptr_read()
Encrypted communication between Bro peers takes place over an SSL connection in which both endpoints of the connection are authenticated. This requires at least some PKI in the form of a certificate authority (CA) which you use to issue and sign certificates for your Bro peers. To facilitate the SSL setup, each peer requires three documents: a certificate signed by the CA and containing the public key, the corresponding private key, and a copy of the CA's certificate.
The OpenSSL command line tool openssl can be used to create all files neccessary, but its unstructured arguments and poor documentation make it a pain to use and waste lots of people a lot of time[1]. Therefore, the Bro distribution comes with two scripts, ca-create and ca-issue. You use the former once to set up your CA, and the latter to create a certificate for each of the Bro peers in your infrastructure.
ca-create lets you choose a directory in which the
CA maintains its files. If you set BRO_CA_DIR
in your
environment, it will be used for this purpose. After entering a passphrase
for the private key of your CA, you can find the self-signed certificate
of your CA in $BRO_CA_DIR/ca_cert.pem.
ca-issue first requires the directory of the CA, offering $BRO_CA_DIR if that is found. It asks you for a prefix for the certificate to be generated, for the passphrase of the private key of the CA so the new certificate can be signed, for the passphrase for the new private key, and for a few parameters that make up the "distinguished name" of the certificate. This name (i.e., the combination of all the fields you enter a value for) must be unique among all your Bro peers. Once that is done, you find a new certificate named prefix.pem in your current directory. This file actually consists of two of the three cryptographic documents mentioned above, namely the new certificate and the private key. We refer to it as "certificate" for simplicity.
/broccoli/ca_cert
and
/broccoli/host_cert
keys, respectively, in the configuration file.
Optionally, you can store the private key in a separate file specified by
/broccoli/host_key
.
To quickly enable/disable a certificate configuration, the
/broccoli/use_ssl
key can be used.
![]() | This is where you configure whether to use encrypted or unencrypted connections. If the If the In no case does an SSL-enabled setup ever fall back to a cleartext one. |
/broccoli/use_ssl yes /broccoli/ca_cert <path>/ca_cert.pem /broccoli/host_cert <path>/bro_cert.pem /broccoli/host_key <path>/bro_cert.key |
In a Bro policy, you need to load the listen-ssl.bro policy and
redef ssl_ca_certificate
and ssl_private_key
,
defined in bro.init:
@load listen-ssl redef ssl_ca_certificate = "<path>/ca_cert.pem"; redef ssl_private_key = "<path>/bro.pem"; |
By default, you will be prompted for the passphrase for the private key matching the public key in your agent's certificate. Depending on your application's user interface and deployment, this may be inappropriate. You can store the passphrase in the config file as well, using the following identifier:
/broccoli/host_pass foobar |
![]() | Make sure that access to your configuration is restricted. If you provide the passphrase this way, it is obviously essential to have
restrictive permissions on the configuration file. Broccoli partially enforces
this. Please refer to the section on
|
Before a remote Bro will accept your connection and your events, it needs to have its policy configured accordingly:
Load either listen-ssl or listen-clear, depending on whether you want to have encrypted or cleartext communication. Obviously, encrypting the event exchange is recommended and cleartext should only be used for early experimental setups. See below for details on how to set up encrypted communication via SSL.
You need to find a port to use for the Bros and Broccoli applications that will
listen for connections. Every such agent can use a different port, though default
ports are provided in the Bro policies.
To change the port the Bro agent will be listening on from its default
redefine the listen_port_ssl
or
listen_port_clear
variables from listen-clear.bro
or listen-ssl.bro, respectively. Have a look at these policies as well
as remote.bro for the default values. Here is the policy
for the unencrypted case:
@load listen-clear redef listen_port_clear = 12345/tcp; |
Including the settings for the cryptographic files introduced in the previous section, here is the encrypted one:
@load listen-ssl redef listen_port_ssl = 12345/tcp; redef ssl_ca_certificate = "<path>/ca_cert.pem"; redef ssl_private_key = "<path>/bro.pem"; |
The policy controlling which peers a Bro agent will communicate with and how this
communication will happen are defined in the destinations
table
defined in remote.bro. This table contains entries of type
Destination, whose members mostly provide default values so you do not
need to define everything. You need to come up with a tag for the connection
under which it can be found in the table (a creative one would be "broccoli"),
the IP address of the peer, the pattern of names of the events the Bro will accept
from you, whether you want Bro to connect to your
machine on startup or not, if so, a port to connect to (defaults are
default_port_ssl
and default_port_clear
, also
defined in remote.bro), a retry timeout, whether to use SSL,
and the class of a connection as set on the Broccoli side via
bro_conn_set_class()
An example could look as follows:
redef Remote::destinations += { ["broping"] = [$host = 127.0.0.1, $class="broping", $events = /ping/, $connect=F, $ssl=F] }; |
This example is taken from broping.bro, the policy the
remote Bro must run when you want to use the broping tool
explained in the
If your Broccoli installation was configured with --enable-debug, Broccoli will report two kinds of debugging information: (i) function call traces and (ii) individual debugging messages. Both are enabled by default, but can be adjusted in two ways.
In the configuration file: in the appropriate section of the configuration
file, you can set the keys /broccoli/debug_messages
and
/broccoli/debug_calltrace
to on
/off
to enable/disable the corresponding output.
In code: you can set the variables
bro_debug_calltrace
bro_debug_messages
By default, debugging output is inactive (even with debuggin support compiled in).
You need to enable it explicitly either in your code by assigning 1 to
bro_debug_calltrace
bro_debug_messages
The Broccoli distribution comes with a few small test programs,
located in the test/ directory of the tree.
The most notable one is broping
[2], a mini-version of ping.
It sends "ping" events to a remote Bro agent, expecting "pong" events
in return. It operates in two flavours: one uses atomic types for sending
information across, and the other one uses records. The Bro agent you want
to ping needs to run either the broping.bro or
broping-record.bro policies. You can find these
in the test/ directory of the source tree, and
in prefix/share/broccoli in the installed
version. broping.bro is shown below. By default,
pinging a Bro on the same machine is configured. If you want your Bro
to be pinged from another machine, you need to update the
destinations
variable accordingly.
@load listen-clear; global ping_log = open_log_file("ping"); redef Remote::destinations += { ["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $retry = 60 secs, $ssl=F] }; event ping(src_time: time, seq: count) { event pong(src_time, current_time(), seq); } event pong(src_time: time, dst_time: time, seq: count) { print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f", seq, src_time, dst_time, dst_time-src_time); } |
broping
sends ping events to Bro. Bro accepts those because they are configured
accordingly in the destinations table. As shown in the policy, ping events
trigger pong events, and broccoli
requests delivery of all pong events back to it.
When running broping
, you'll see something like this:
cpk25@localhost:/home/cpk25/devel/broccoli > ./test/broping pong event from 127.0.0.1: seq=1, time=0.004700/1.010303 s pong event from 127.0.0.1: seq=2, time=0.053777/1.010266 s pong event from 127.0.0.1: seq=3, time=0.006435/1.010284 s pong event from 127.0.0.1: seq=4, time=0.020278/1.010319 s pong event from 127.0.0.1: seq=5, time=0.004563/1.010187 s pong event from 127.0.0.1: seq=6, time=0.005685/1.010393 s |
[1] | In other documents and books on OpenSSL you will find this expressed more politely, using terms such as "daunting to the uninitiated", "challenging", "complex", "intimidating". |
[2] | Pronunciation is said to be somewhere on the continuum between "brooping" and "burping". |