def __init__(self,
tasks,
shutdown_event,
hup_event,
bro_peer="localhost:47757",
log_path=None):
"""Initialize the worker thread.
Connects to a Bro peer process and optionally opens a log file.
:param tasks: A Queue.Queue instance in which new tasks are placed.
:param shutdown_event: A threading.Event instance set by another thread
to indicate that this thread needs to finish soon.
:param hup_event: A threading.Event instance set by another thread to
indicate that a SIGHUP signal was received.
:param bro_peer: A string in "host:port" format specifying how
to connect to a Bro process.
:param log_path: A string representing a path to a file which will
log all complete messages from clients.
:raises: IOError if a Broccoli connection cannot be established
"""
super(BroccoliWorker, self).__init__(tasks, shutdown_event, hup_event)
self._log_path = None
self._log_file = None
if log_path is not None:
self._log_path = log_path
self._log_file = open(log_path, "w")
logger.info("opened log file: {0}".format(self._log_path))
self._bc = broccoli.Connection(bro_peer)
def connect(self):
if self.cxn:
self.log.warning(self.name + " already connected")
else:
self.cxn = broccoli.Connection(self.bro.hostname + ":" +
str(self.port))
self.run_thread = True
self.thread = threading.Thread(target=self.poll,
name="script:" + self.name)
self.thread.daemon = True
self.thread.start()
def initializeBroccoli():
"""Initialize connection to Bro."""
failed = True
while failed:
try:
global broccoliConnection
broccoliConnection = broccoli.Connection(BROCCOLI_CONNECT)
failed = False
logger.info("Connected to Bro!")
except Exception, e:
logger.error(
"Unknown exception or error in broccoli initialization. %s" %
e.message)
def broconnect():
global bro_conn
result = False
while result == False:
try:
print "connection attempt to ", node
bro_conn = broccoli.Connection(node)
except:
print "connection fail to node ", node
time.sleep(1)
else:
result = True
def _sendEventInit(node, event, args, result_event):
try:
bc = broccoli.Connection("%s:%d" % (node.addr, node.getPort()),
broclass="update",
flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE,
connect=False)
bc.subscribe(result_event, _event_callback(bc))
bc.got_result = False
bc.connect()
except IOError, e:
util.debug(1, "%-10s broccoli: cannot connect" % (("[%s]" % node.tag)))
return (False, str(e))
def _sendEventInit(node, event, args, result_event):
host = util.scopeAddr(node.addr)
try:
bc = broccoli.Connection("%s:%d" % (host, node.getPort()),
broclass="control",
flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE,
connect=False)
bc.subscribe(result_event, _event_callback(bc))
bc.got_result = False
bc.connect()
except IOError, e:
util.debug(1, "broccoli: cannot connect", prefix=node.name)
return (False, str(e))
def _send_event_init(node, event, args, result_event):
host = util.scope_addr(node.addr)
try:
bc = broccoli.Connection("%s:%d" % (host, node.getPort()), broclass="control",
flags=broccoli.BRO_CFLAG_ALWAYS_QUEUE, connect=False)
bc.subscribe(result_event, _event_callback(bc))
bc.got_result = False
bc.connect()
except IOError as e:
logging.debug("broccoli: cannot connect to node %s", node.name)
return (False, str(e))
logging.debug("broccoli: %s(%s) to node %s", event, ", ".join(args), node.name)
bc.send(event, *args)
return (True, bc)
while True:
select.select((bro_conn_fd), (bro_conn_fd), (bro_conn_fd))
bro_conn.processInput()
except:
while True:
bro_conn.processInput()
sleep(.1)
@broccoli.event
def remote_check_URL(seqno, host, uri):
# Receive a URL from bro, and send a return signal back
# if it should be blocked.
category = check_database(host, uri)
if category:
if check_category(category):
# If the category signals a block
bro_conn.send("stomper_block", seqno)
return
#Main program - Initialize and call event loop
# Setup the connection to bro
bro_conn = broccoli.Connection("127.0.0.1:47758")
# Event loop
bro_event_loop(bro_conn)
# Everything under this is never executed.
sys.exit(0)
window_event_count = 0 # events per window
window_start_time = broccoli.current_time() #
window_size = 60 # measuring window in seconds
alarm_event_rate = 10000
node = "127.0.0.1:47757"
event = "BLANK"
valset = []
error_line = 0 # the event line does not contain at least two entries
error_item = 0 # number of '=' in the type=data < 1
error_parse = 0 # data parse errors per window
# init the connection object, but do not attempt to connect
bro_conn = broccoli.Connection(connect=False, destination=node)
syslog.openlog()
# file to monitor
#t = FileTail("logfile")
t = FileTail("/var/www/html/sigma/ssh_logging")
# ----------### Functions Below ###---------- #
def databrush(type, dval):
# patch for broken heartbeat
if event.find('server_heartbeat') != -1 and dval == "-1":
return "0"
# IPv6 address raw socket looks like "::", make a fave IPv4 address of the same