broccoli 1.3.0

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2007 Seth Hall
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

data/README

@@ -0,0 +1,44 @@
+rBroccoli is an interface for the Bro-IDS Broccoli library.
+
+URL: http://rbroccoli.rubyforge.org 
+
+Author: Seth Hall <hall.692@osu.edu> 
+
+Version: 1.3.0 
+
+Date: 2007-08-03 23:16:50 EST
+
+=About
+This is the rBroccoli extension for ruby which provides access to the 
+Broccoli API.  Broccoli is a library for communicating with the Bro Intrusion
+Detection System.  Broccoli is distributed with Bro now, so I'm going to be
+releasing versions of rBroccoli that target Bro versions.
+
+Bro IDS:: http://www.bro-ids.org
+
+=Install
+To install the extension
+1. Make sure that the broccoli-config binary is in your path.
+     (export PATH=/usr/local/bro/bin:$PATH)
+2. Run, "sudo ruby setup.rb"
+
+To install the extension as a gem (<b>suggested</b>)
+1. Install rubygems... http://rubygems.org/
+2. Make sure that the broccoli-config binary is in your path. 
+     (export PATH=/usr/local/bro/bin:$PATH)
+3. Run, "sudo gem install rbroccoli" 
+
+=Usage
+There aren't really any useful docs yet.  Your best bet currently is
+to to read through the examples.
+
+One thing I should mention however is that I haven't done any optimization
+yet.  You may find that if you write code that is going to be sending or
+receiving extremely large numbers of events, that it won't run fast enough and 
+will begin to fall behind the Bro server.  The dns_requests.rb example is
+a good performance test if your Bro server is sitting on a network with many
+dns lookups.
+
+=Contact
+If you have a question/comment/patch, email me at:
+  hall.692@osu.edu

data/examples/broconn.bro

@@ -0,0 +1,26 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+@load conn
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+redef Remote::destinations += {
+	["broconn"] = [$host = 127.0.0.1, $connect=F, $ssl=F]
+};
+

data/examples/broconn.rb

@@ -0,0 +1,47 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'bro' # If installed as a native extension
+rescue LoadError
+  require 'rubygems' # If install as a gem
+  gem 'broccoli'
+  require 'bro'
+end
+
+require 'ipaddr'
+include Bro
+
+Bro.debug_calltrace=false
+Bro.debug_messages=false
+
+SRC_STR  = "%s/%s [%u/%u] -> "
+DST_STR  = "%s/%s [%u/%u], "
+METADATA_STR = "%s start: %f, duration: %f, addl: '%s'\n"
+
+def generic_conn(conn)
+  begin
+    ip = IPAddr.ntop(conn.id.orig_h).to_s
+    printf SRC_STR, ip, conn.id.orig_p, conn.orig.size, conn.orig.state
+    ip = IPAddr.ntop(conn.id.resp_h).to_s
+    printf DST_STR, ip, conn.id.resp_p, conn.resp.size, conn.resp.state
+    printf METADATA_STR, conn.service, conn.start_time, conn.duration, conn.addl
+  rescue
+    # For some reason, occasionally the IPAddr class doesn't like the 
+    # network byte ordered strings that it receives.
+    puts "oops - this seems to be a bug :)"
+  end
+end
+
+bc = Bro::Connection.new("127.0.0.1:47758", BRO_CFLAG_RECONNECT)
+
+bc.event_handler_for("connection_attempt")     { |conn| print "connection_attempt: "; generic_conn(conn) }
+bc.event_handler_for("connection_established") { |conn| print "connection_established: "; generic_conn(conn) }
+bc.event_handler_for("connection_finished")    { |conn| print "connection_finished: "; generic_conn(conn) }
+bc.event_handler_for("connection_rejected")    { |conn| print "connection_rejected: "; generic_conn(conn) }
+
+if bc.connect
+  puts "connected"
+  while bc.wait
+    bc.process_input
+  end
+end

data/examples/broenum.rb

@@ -0,0 +1,122 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'bro' # If installed as a native extension
+rescue LoadError
+  require 'rubygems' # If install as a gem
+  gem 'broccoli'
+  require 'bro'
+end
+
+require 'logger'
+require 'optparse'
+require 'ostruct'
+require 'ipaddr'
+
+class BroenumApp < Logger::Application
+  include Bro
+  
+  def run
+    opt = parse_opts()
+      
+    # Set debugging vars
+    Bro.debug_messages=true if opt.debug > 0  
+    Bro.debug_calltrace=true if opt.debug > 1
+    
+    # Create the connection object
+    bc = Bro::Connection.new("#{opt.host}:#{opt.port}", BRO_CFLAG_NONE)
+        
+    if bc.connect
+      #puts "connected"
+      ev = Bro::Event.new("enumtest")
+      ev.insert(opt.num, :enum, opt.type_name)
+      puts "Sending enum val #{opt.num} to remote peer."
+      bc.send(ev)
+
+      # Make sure the event isn't still queued
+      while bc.queue_length > 0
+        bc.queue_flush
+      end
+      
+      bc.disconnect
+    else
+      puts "Couldn't connect to Bro server at #{opt.host}:#{opt.port}."
+    end
+    
+  end
+  
+  private
+  
+  def initialize
+    super('app')
+    STDERR.sync = true
+    self.level = Logger::FATAL
+  end
+    
+  def parse_opts
+    options = OpenStruct.new
+    options.debug = 0
+    options.host = "127.0.0.1"
+    options.port = 47758
+    options.type_name = "enumtest::enumtype"
+    options.num = 0
+    
+    opts = OptionParser.new do |opts|
+      opts.banner = "broenum - sends enum vals to a Bro node, printing the corresponding
+      	 string value on the Bro side.
+      	 USAGE: #{$0} [-h] [-d] [-p port] [-t type] [-n num] host"
+
+      opts.separator ""
+      opts.separator "Specific options:"
+      
+      opts.on('-p', '--port PORT',
+              'The port your bro agent is listening on') do |port|
+        options.port = port.to_i
+      end
+      
+      opts.on('-n', '--num NUM',
+              'The enum value') do |n|
+        options.num = n.to_i
+      end
+      
+      opts.on('-t', '--type TYPE',
+              'The enum type') do |t|
+        options.type_name = t
+      end
+                  
+      opts.separator ""
+      opts.separator "Common options:"
+
+      # No argument, shows at tail.  This will print an options summary.
+      # Try it and see!
+      opts.on_tail("-h", "--help", "Show this message") do
+        puts opts
+        exit
+      end
+      
+      opts.on_tail('-d', '--debug',
+              'Use this option once for debug messages and twice for calltraces') do
+        options.debug += 1
+      end
+      
+    end
+    
+    begin
+      opts.parse!(ARGV)       
+      raise(OptionParser::InvalidOption, "missing host") unless ARGV[0]
+      options.host = ARGV[0]
+    rescue OptionParser::InvalidOption => e
+      puts "Invalid option! (#{e})"
+      puts opts
+      exit -1
+    end
+    options
+  end
+  
+end
+
+begin
+  BroenumApp.new.start
+rescue Interrupt => e
+  # Catch interrupts quietly
+end

data/examples/brohose.bro

@@ -0,0 +1,30 @@
+# Depending on whether you want to use encryption or not,
+# include "listen-clear" or "listen-ssl":
+#
+# @load listen-ssl
+@load listen-clear
+
+global brohose_log = open_log_file("brohose");
+
+# Let's make sure we use the same port no matter whether we use encryption or not:
+#
+@ifdef (listen_port_clear)
+redef listen_port_clear    = 47758/tcp;
+@endif
+
+# If we're using encrypted communication, redef the SSL port and hook in
+# the necessary certificates:
+#
+@ifdef (listen_port_ssl)
+redef listen_port_ssl      = 47758/tcp;
+redef ssl_ca_certificate   = "<path>/ca_cert.pem";
+redef ssl_private_key      = "<path>/bro.pem";
+@endif
+
+redef Remote::destinations += {
+	["brohose"] = [$host = 127.0.0.1, $events = /brohose/, $connect=F, $ssl=F]
+};
+
+event brohose(id: string) {
+	print brohose_log, fmt("%s %s", id, current_time());
+}

data/examples/brohose.rb

@@ -0,0 +1,169 @@
+#!/usr/bin/env ruby
+
+begin
+  require 'bro' # If installed as a native extension
+rescue LoadError
+  require 'rubygems' # If install as a gem
+  gem 'broccoli'
+  require 'bro'
+end
+
+require 'logger'
+require 'optparse'
+require 'ostruct'
+require 'ipaddr'
+
+class BrohoseApp < Logger::Application
+  include Bro
+  
+  def run
+    opt = parse_opts()
+      
+    # Set debugging vars
+    Bro.debug_messages=true if opt.debug > 0  
+    Bro.debug_calltrace=true if opt.debug > 1
+      
+    printf("Will attempt to send %i events from %i processes, to %s\n",
+           opt.events, opt.processes, opt.host)
+    puts "enter to continue"
+    STDIN.gets
+    
+    # Create the connection object
+    bc = Bro::Connection.new("#{opt.host}:#{opt.port}", BRO_CFLAG_SHAREABLE)
+        
+    if bc.connect
+      #puts "connected"
+
+      (1..opt.processes).each do
+        @pid = fork()
+        
+        if @pid.nil?
+          hose_away(bc, opt.events)
+          exit 0
+        end
+        
+        if @pid < 0
+          puts "Unable to fork children, aborting."
+          exit -1
+        end
+                              
+      end
+      
+      Process.wait
+      puts "All children finished... done."
+      exit 0
+      
+    else
+      puts "Couldn't connect to Bro at #{opt.host}:#{opt.port}."
+      exit -1
+    end
+    
+  end
+  
+  private
+  
+  def initialize
+    super('app')
+    STDERR.sync = true
+    self.level = Logger::FATAL
+    
+    @pid = 0
+  end
+  
+  def hose_away(bc, events)
+    (1..events).each do |i|
+      ev = Bro::Event.new("brohose")  
+      msg = sprintf("%u-%i-%i", @pid, i, bc.queue_length) 
+      ev.insert(msg, :string)
+      bc.send(ev) 
+    
+      if (bc.queue_length > bc.queue_length_max/2)
+    	  while bc.queue_length > 0
+    	    bc.queue_flush
+  	    end
+    	end
+    	
+    end
+    
+	  while bc.queue_length > 0
+	    bc.queue_flush
+    end
+
+    printf("-- child %u, %i queued\n", @pid, bc.queue_length)
+    bc.disconnect
+  end
+    
+  def parse_opts
+    options = OpenStruct.new
+    options.debug = 0
+    options.port = 47758
+    options.processes = 10
+    options.events = 1000
+    
+    opts = OptionParser.new do |opts|
+      opts.banner = "brohose - Try to hose bro with data.\nUsage: #{$0} [options] host"
+
+      opts.separator ""
+      opts.separator "Specific options:"
+      
+      opts.on('-p', '--port PORT',
+              'The port your bro agent is listening on') do |port|
+        options.port = port
+      end
+      
+      opts.on('-n', '--number NUMBER',
+              'Number of processes to use (10)') do |n|
+        n = n.to_i
+        if n < 1 or n > 100  
+          puts "Please restrict the number of processes to 1-100."
+          exit -1
+        end
+        options.processes = n
+      end
+      
+      opts.on('-e', '--events EVENTS',
+              'Number of events per process (1000)') do |e|
+        e = e.to_i
+        if e < 1 or e > 10000  
+          puts "Please restrict the number of events to 1-10,000."
+          exit -1
+        end
+        options.events = e
+      end
+                  
+      opts.separator ""
+      opts.separator "Common options:"
+
+      # No argument, shows at tail.  This will print an options summary.
+      # Try it and see!
+      opts.on_tail("-h", "--help", "Show this message") do
+        puts opts
+        exit
+      end
+      
+      opts.on_tail('-d', '--debug',
+              'Use this option once for debug messages and twice for calltraces') do
+        options.debug += 1
+      end
+      
+    end
+    
+    begin
+      opts.parse!(ARGV)       
+      raise(OptionParser::InvalidOption, "missing host") unless ARGV[0]
+      options.host = ARGV[0]      
+    rescue OptionParser::InvalidOption => e
+      puts "Invalid option! (#{e})"
+      puts opts
+      exit
+    end
+    options
+  end
+  
+end
+
+begin
+  BrohoseApp.new.start
+rescue Interrupt => e
+  # Catch interrupts quietly
+end