add pacf plugin that directly outputs messages to broker.

Also fix a few problems in pacf in the process of doing this.
2025-10-04 23:58:20 +00:00 · 2015-05-26 11:19:55 -07:00 · 2015-05-26 11:19:55 -07:00 · 0a49b8cdf6
commit 0a49b8cdf6
parent 94fbd492ca
10 changed files with 288 additions and 14 deletions
--- a/scripts/base/frameworks/pacf/main.bro
+++ b/scripts/base/frameworks/pacf/main.bro
@ -250,11 +250,13 @@ export {
 redef record Rule += {
 	##< Internally set to the plugin handling the rule.
-	_plugin: PluginState &optional;
+	_plugin_id: count &optional;
 };
 global plugins: vector of PluginState;
 global plugin_ids: table[count] of PluginState;
 global rule_counter: count = 1;
 global plugin_counter: count = 1;
 global rules: table[count] of Rule;
 event bro_init() &priority=5
@ -352,6 +354,10 @@ function activate(p: PluginState, priority: int)
 	plugins[|plugins|] = p;
 	sort(plugins, function(p1: PluginState, p2: PluginState) : int { return p2$_priority - p1$_priority; });
 	plugin_ids[plugin_counter] = p;
 	p$_id = plugin_counter;
 	++plugin_counter;
 	log_msg(fmt("activated plugin with priority %d", priority), p);
 	}
@ -395,9 +401,11 @@ function add_rule(r: Rule) : count
 		{
 		local p = plugins[i];
 		# set before, in case the plugins sends and regenerates the plugin record later.
 		r$_plugin_id = p$_id;
 		if ( p$plugin$add_rule(p, r) )
 			{
 			r$_plugin = p;
 			log_rule(r, "ADD", REQUESTED, p);
 			return r$id;
 			}
@ -409,10 +417,16 @@ function add_rule(r: Rule) : count
 function remove_rule(id: count) : bool
 	{
-	local r = rules[id];
+	if ( id !in rules )
-	local p = r$_plugin;
+		{
 		Reporter::error(fmt("Rule %d does not exist in Pacf::remove_rule", id));
 		return F;
 		}
-	if ( ! p$plugin$remove_rule(r$_plugin, r) )
+	local r = rules[id];
 	local p = plugin_ids[r$_plugin_id];
 	if ( ! p$plugin$remove_rule(p, r) )
 		{
 		log_rule_error(r, "remove failed", p);
 		return F;
@ -425,7 +439,7 @@ function remove_rule(id: count) : bool
 event rule_expire(r: Rule, p: PluginState)
 	{
 	if ( r$id !in rules )
-		# Remove already.
+		# Removed already.
 		return;
 	event rule_timeout(r, FlowInfo(), p);
--- a/scripts/base/frameworks/pacf/plugin.bro
+++ b/scripts/base/frameworks/pacf/plugin.bro
@ -9,6 +9,9 @@ export {
 		## Table for a plugin to store custom, instance-specfific state. 
 		config: table[string] of string &default=table();
 		## Unique plugin identifier -- used for backlookup of plugins from Rules. Set internally.
 		_id: count &optional;
 		## Set internally.
 		_priority: int &default=+0;
 	};
--- a/scripts/base/frameworks/pacf/plugins/load.bro
+++ b/scripts/base/frameworks/pacf/plugins/load.bro
@ -1,3 +1,4 @@
@load ./debug
@load ./openflow
@load ./packetfilter
@load ./broker
--- a/scripts/base/frameworks/pacf/plugins/broker.bro
+++ b/scripts/base/frameworks/pacf/plugins/broker.bro
@ -0,0 +1,142 @@
 # Broker plugin for the pacf framework. Sends the raw data structures
 # used in pacf on to Broker to allow for easy handling, e.g., of
 # command-line scripts.
 module Pacf;
@load ../plugin
@load base/frameworks/broker
 export {
 	## Instantiates the broker plugin.
 	global create_broker: function(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState;
 	redef record PluginState += {
 		## The broker topic used to send events to
 		broker_topic: string &optional;
 		## The ID of this broker instance - for the mapping to PluginStates
 		broker_id: count &optional;
 		## Broker host to connect to
 		broker_host: addr &optional;
 		## Broker port to connect to
 		broker_port: port &optional;
 	};
 	global broker_add_rule: event(id: count, r: Rule);
 	global broker_remove_rule: event(id: count, r: Rule);
 	global broker_rule_added: event(id: count, r: Rule, msg: string);
 	global broker_rule_removed: event(id: count, r: Rule, msg: string);
 	global broker_rule_error: event(id: count, r: Rule, msg: string);
 	global broker_rule_timeout: event(id: count, r: Rule, i: FlowInfo);
 }
 global pacf_broker_topics: set[string] = set();
 global pacf_broker_id: table[count] of PluginState = table();
 global pacf_broker_current_id: count = 0;
 event Pacf::broker_rule_added(id: count, r: Rule, msg: string)
 	{
 	if ( id !in pacf_broker_id )
 		{
 		Reporter::error(fmt("Pacf broker plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = pacf_broker_id[id];
 	event Pacf::rule_added(r, p, msg);
 	}
 event Pacf::broker_rule_removed(id: count, r: Rule, msg: string)
 	{
 	if ( id !in pacf_broker_id )
 		{
 		Reporter::error(fmt("Pacf broker plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = pacf_broker_id[id];
 	event Pacf::rule_removed(r, p, msg);
 	}
 event Pacf::broker_rule_error(id: count, r: Rule, msg: string)
 	{
 	if ( id !in pacf_broker_id )
 		{
 		Reporter::error(fmt("Pacf broker plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = pacf_broker_id[id];
 	event Pacf::rule_error(r, p, msg);
 	}
 event Pacf::broker_rule_timeout(id: count, r: Rule, i: FlowInfo)
 	{
 	if ( id !in pacf_broker_id )
 		{
 		Reporter::error(fmt("Pacf broker plugin with id %d not found, aborting", id));
 		return;
 		}
 	local p = pacf_broker_id[id];
 	event Pacf::rule_timeout(r, i, p);
 	}
 function broker_name(p: PluginState) : string
 	{
 	return fmt("PACF Broker plugin - topic %s", p$broker_topic);
 	}
 function broker_add_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	BrokerComm::event(p$broker_topic, BrokerComm::event_args(broker_add_rule, p$broker_id, r));
 	return T;
 	}
 function broker_remove_rule_fun(p: PluginState, r: Rule) : bool
 	{
 	BrokerComm::event(p$broker_topic, BrokerComm::event_args(broker_remove_rule, p$broker_id, r));
 	return T;
 	}
 global broker_plugin = Plugin(
 	$name=broker_name,
 	$can_expire = F,
 	$add_rule = broker_add_rule_fun,
 	$remove_rule = broker_remove_rule_fun
 	);
 global broker_plugin_can_expire = Plugin(
 	$name=broker_name,
 	$can_expire = T,
 	$add_rule = broker_add_rule_fun,
 	$remove_rule = broker_remove_rule_fun
 	);
 function create_broker(host: addr, host_port: port, topic: string, can_expire: bool &default=F) : PluginState
 	{
 	if ( topic in pacf_broker_topics )
 		Reporter::warning(fmt("Topic %s was added to Pacf broker plugin twice. Possible duplication of commands", topic));
 	else
 		add pacf_broker_topics[topic];
 	local plugin = broker_plugin;
 	if ( can_expire )
 		plugin = broker_plugin_can_expire;
 	local p: PluginState = [$broker_host=host, $broker_port=host_port, $plugin=plugin, $broker_topic=topic, $broker_id=pacf_broker_current_id];
 	pacf_broker_id[pacf_broker_current_id] = p;
 	++pacf_broker_current_id;
 	BrokerComm::enable();
 	BrokerComm::connect(cat(host), host_port, 1sec);
 	BrokerComm::subscribe_to_events(topic);
 	return p;
 	}
--- a/scripts/base/frameworks/pacf/plugins/packetfilter.bro
+++ b/scripts/base/frameworks/pacf/plugins/packetfilter.bro
@ -5,6 +5,8 @@
 module Pacf;
@load ../plugin
 export {
 	## Instantiates the packetfilter plugin.
 	global create_packetfilter: function() : PluginState;
--- a/scripts/base/frameworks/pacf/types.bro
+++ b/scripts/base/frameworks/pacf/types.bro
@ -87,7 +87,7 @@ export {
 	## A rule for the framework to put in place. Of all rules currently in
 	## place, the first match will be taken, sorted by priority. All
-	## further riles will be ignored.
+	## further rules will be ignored.
 	type Rule: record {
 		ty: RuleType;			##< Type of rule.
 		target: TargetType;		##< Where to apply rule.
@ -146,8 +146,6 @@ export {
 		id: count &default=0;		##< Internally determined unique ID for this notification. Will be set when added.
 	};
 }
--- a/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
+++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.basic/.stdout
@ -1,4 +1,4 @@
-pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin=<uninitialized>]
+pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=<uninitialized>]
-pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin=<uninitialized>]
+pacf debug (Debug-All): add_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=<uninitialized>]
-pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]
+pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=15.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
-pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin=[config={\x0a\x09[all] = 1\x0a}, _priority=0, plugin=[name=Pacf::debug_name\x0a{ \x0areturn (fmt(Debug-%s, (Pacf::do_something(Pacf::p) ? All : None)));\x0a}, can_expire=F, init=Pacf::debug_init\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, done=Pacf::debug_done\x0a{ \x0aPacf::debug_log(Pacf::p, init);\x0a}, add_rule=Pacf::debug_add_rule\x0a{ \x0aPacf::s = fmt(add_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::rule_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_rule=Pacf::debug_remove_rule\x0a{ \x0aPacf::s = fmt(remove_rule: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aevent Pacf::rule_removed(Pacf::r, Pacf::p, );\x0areturn (T);\x0a}, add_notification=Pacf::debug_add_notification\x0a{ \x0aPacf::s = fmt(add_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0aif (Pacf::do_something(Pacf::p)) \x0a\x09{ \x0a\x09event Pacf::notification_added(Pacf::r, Pacf::p, );\x0a\x09return (T);\x0a\x09}\x0a\x0areturn (F);\x0a}, remove_notification=Pacf::debug_remove_notification\x0a{ \x0aPacf::s = fmt(remove_notification: %s, Pacf::r);\x0aPacf::debug_log(Pacf::p, Pacf::s);\x0areturn (Pacf::do_something(Pacf::p));\x0a}, transaction_begin=Pacf::debug_transaction_begin\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_begin);\x0a}, transaction_end=Pacf::debug_transaction_end\x0a{ \x0aPacf::debug_log(Pacf::p, transaction_end);\x0a}], of_controller=<uninitialized>, of_config=<uninitialized>]]
+pacf debug (Debug-All): remove_rule: [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=30.0 secs, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
--- a/testing/btest/Baseline/scripts.base.frameworks.pacf.broker/recv.recv.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.broker/recv.recv.out
@ -0,0 +1,5 @@
 BrokerComm::incoming_connection_established
 add_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
 add_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
 remove_rule, 0, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
 remove_rule, 0, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
--- a/testing/btest/Baseline/scripts.base.frameworks.pacf.broker/send.send.out
+++ b/testing/btest/Baseline/scripts.base.frameworks.pacf.broker/send.send.out
@ -0,0 +1,7 @@
 BrokerComm::outgoing_connection_established, 127.0.0.1, 9999/tcp
 rule added, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
 rule added, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
 ruke timeout, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
 rule removed, [ty=Pacf::DROP, target=Pacf::MONITOR, entity=[ty=Pacf::FLOW, conn=<uninitialized>, flow=[src_h=10.10.1.4/32, src_p=1470/tcp, dst_h=74.53.140.153/32, dst_p=25/tcp, src_m=<uninitialized>, dst_m=<uninitialized>], ip=<uninitialized>, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=2, _plugin_id=1]
 ruke timeout, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1], [duration=<uninitialized>, packet_count=<uninitialized>, byte_count=<uninitialized>]
 rule removed, [ty=Pacf::DROP, target=Pacf::FORWARD, entity=[ty=Pacf::ADDRESS, conn=<uninitialized>, flow=<uninitialized>, ip=10.10.1.4/32, mac=<uninitialized>], expire=36000.0, priority=0, location=, c=<uninitialized>, i=<uninitialized>, d=<uninitialized>, s=<uninitialized>, mod=<uninitialized>, id=3, _plugin_id=1]
--- a/testing/btest/scripts/base/frameworks/pacf/broker.bro
+++ b/testing/btest/scripts/base/frameworks/pacf/broker.bro
@ -0,0 +1,102 @@
 # @TEST-SERIALIZE: brokercomm
 # @TEST-REQUIRES: grep -q ENABLE_BROKER $BUILD/CMakeCache.txt
 # @TEST-EXEC: btest-bg-run recv "bro -b ../recv.bro broker_port=$BROKER_PORT >recv.out"
 # @TEST-EXEC: btest-bg-run send "bro -b -r $TRACES/smtp.trace --pseudo-realtime ../send.bro broker_port=$BROKER_PORT >send.out"
 # @TEST-EXEC: btest-bg-wait 20
 # @TEST-EXEC: btest-diff recv/recv.out
 # @TEST-EXEC: btest-diff send/send.out
@TEST-START-FILE send.bro
@load base/frameworks/pacf
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 event bro_init()
 	{
 	suspend_processing();
 	local pacf_broker = Pacf::create_broker(127.0.0.1, broker_port, "bro/event/pacftest", T);
 	Pacf::activate(pacf_broker, 0);
 	}
 event BrokerComm::outgoing_connection_established(peer_address: string,
                                            peer_port: port,
                                            peer_name: string)
 	{
 	print "BrokerComm::outgoing_connection_established", peer_address, peer_port;
 	continue_processing();
 	}
 event BrokerComm::outgoing_connection_broken(peer_address: string,
                                       peer_port: port)
 	{
 	terminate();
 	}
 event connection_established(c: connection)
 	{
 	local id = c$id;
 	Pacf::shunt_flow([$src_h=id$orig_h, $src_p=id$orig_p, $dst_h=id$resp_h, $dst_p=id$resp_p], 10hrs);
 	Pacf::drop_address(id$orig_h, 10hrs);
 	}
 event Pacf::rule_added(r: Pacf::Rule, p: Pacf::PluginState, msg: string)
 	{
 	print "rule added", r;
 	Pacf::remove_rule(r$id);
 	}
 event Pacf::rule_removed(r: Pacf::Rule, p: Pacf::PluginState, msg: string)
 	{
 	print "rule removed", r;
 	}
 event Pacf::rule_timeout(r: Pacf::Rule, i: Pacf::FlowInfo, p: Pacf::PluginState)
 	{
 	print "ruke timeout", r, i;
 	}
@TEST-END-FILE
@TEST-START-FILE recv.bro
@load base/frameworks/pacf
@load base/frameworks/broker
 const broker_port: port &redef;
 redef exit_only_after_terminate = T;
 event bro_init()
 	{
 	BrokerComm::enable();
 	BrokerComm::subscribe_to_events("bro/event/pacftest");
 	BrokerComm::listen(broker_port, "127.0.0.1");
 	}
 event BrokerComm::incoming_connection_established(peer_name: string)
 	{
 	print "BrokerComm::incoming_connection_established";
 	}
 event Pacf::broker_add_rule(id: count, r: Pacf::Rule)
 	{
 	print "add_rule", id, r;
 	BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_added, id, r, ""));
 	}
 event Pacf::broker_remove_rule(id: count, r: Pacf::Rule)
 	{
 	print "remove_rule", id, r;
 	BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_timeout, id, r, Pacf::FlowInfo()));
 	BrokerComm::event("bro/event/pacftest", BrokerComm::event_args(Pacf::broker_rule_removed, id, r, ""));
 	if ( r$id == 3 )
 		terminate();
 	}
@TEST-END-FILE