System Entrypoint

File location:

• Bundled implementation:

  • source/client/python/remote.py

  • source/client/python/scan.py

• Cluster implementation: cluster/app/source/python/__main__.py

In bundled implementation, the Bro Logs Processing module (remote) starts a background process for the BroAPT-App framework; whilst the Detection Process module (process) contains main processing logic as well as the original system entrypoint.

In cluster implementation, this file wraps the whole system and make the python folder callable as a module where the __main__.py will be considered as the entrypoint.

Constants

__main__.FILE_REGEX: re.Pattern

Availability:

cluster implementation

re.compile(r'''
    # protocol prefix
    (?P<protocol>DTLS|FTP_DATA|HTTP|IRC_DATA|SMTP|\S+)
    -
    # file UID
    (?P<fuid>F\w+)
    \.
    # PCAP source
    (?P<pcap>.+?)
    \.
    # media-type
    (?P<media_type>application|audio|example|font|image|message|model|multipart|text|video|\S+)
    \.
    # subtype
    (?P<subtype>\S+)
    \.
    # file extension
    (?P<extension>\S+)
''', re.IGNORECASE | re.VERBOSE)

Regular expression to match and fetch information from extracted files.

See also

const.FILE_REGEX

Dataclasses

class scan.MIME

Availability:

bundled implementation

A dataclass for parsed MIME type.

media_type: str

Media type.

subtype: str

Subtype.

name: str

MIME type.

class __main__.MIME

Availability:

cluster implementation

See also

scan.MIME

class scan.Entry

Availability:

bundled implementation

A dataclass for extracted file entry.

path: str

File path.

uuid: str

UUID parsed from file.

mime: MIME

Parsed MIME type dataclass.

Note

This dataclass supports ordering with power of functools.total_ordering().

class __main__.Entry

Availability:

cluster implementation

See also

scan.Entry

Bundled Implementation

scan Module

scan.scan(local_name: str)

Availability:

bundled implementation

Parse then start processing of the given file.

See also

scan.process()

scan.lookup(path: str)

Availability:

bundled implementation

Fetch all extracted files to be processed from the given path.

Parameters:

path (str) – Path to extracted files.

Returns:

List of extracted files.

Return type:

List[str]

remote Module

Framework Mainloop

remote.remote_dump()

Availability:

bundled implementation

Runtime mainloop for BroAPT-App framework.

The function will start as an indefinite loop to fetch path to extracted files from const.QUEUE_DUMP, and perform scan() on them.

When JOIN_DUMP is set to True, the function will break from the loop.

Signal Handling

remote.join_dump(*args, **kwargs)

Availability:

bundled implementation

Toggle JOIN_DUMP to True.

Note

This function is registered as handler for SIGUSR1`.

remote.JOIN_DUMP = multiprocessing.Value('B', False)

Availability:

bundled implementation

Flag to stop the remote_dump() background process.

Cluster Implementation

__main__.listdir(path: str)

Availability:

cluster implementation

Fetch and parse all extracted files in the given path.

Parameters:

path (str) – Path to extracted files.

Returns:

List of parsed entry for extracted files.

Return type:

List[Entry]

__main__.check_history()

Availability:

cluster implementation

Check processed extracted files.

Note

Processed extracted files will be recorded at const.DUMP.

Returns:

List of processed extracted files.

Return type:

List[str]

__main__.main()

Availability:

cluster implementation

Run the BroAPT-Core framework.

Returns:

Exit code.

Return type:

int

See also

__main__.process()