System Entrypoint¶

File location

Bundled implementation:
- source/client/python/remote.py
- source/client/python/scan.py
Cluster implementation: cluster/app/source/python/__main__.py

In bundled implementation, the Bro Logs Processing module (remote) starts a background process for the BroAPT-App framework; whilst the Detection Process module (process) contains main processing logic as well as the original system entrypoint.

In cluster implementation, this file wraps the whole system and make the python folder callable as a module where the __main__.py will be considered as the entrypoint.

Constants¶

__main__.FILE_REGEX: re.Pattern¶

Availability: cluster implementation

re.compile(r'''
    # protocol prefix
    (?P<protocol>DTLS|FTP_DATA|HTTP|IRC_DATA|SMTP|\S+)
    -
    # file UID
    (?P<fuid>F\w+)
    \.
    # PCAP source
    (?P<pcap>.+?)
    \.
    # media-type
    (?P<media_type>application|audio|example|font|image|message|model|multipart|text|video|\S+)
    \.
    # subtype
    (?P<subtype>\S+)
    \.
    # file extension
    (?P<extension>\S+)
''', re.IGNORECASE | re.VERBOSE)

Regular expression to match and fetch information from extracted files.

See also

const.FILE_REGEX

Dataclasses¶

class scan.MIME¶

Availability: bundled implementation

A dataclass for parsed MIME type.

media_type: str¶: Media type.

subtype: str¶: Subtype.

name: str¶: MIME type.

class __main__.MIME¶

Availability: cluster implementation

See also

scan.MIME

class scan.Entry¶

Availability: bundled implementation

A dataclass for extracted file entry.

path: str¶: File path.

uuid: str¶: UUID parsed from file.

mime: MIME¶: Parsed MIME type dataclass.

Note

This dataclass supports ordering with power of functools.total_ordering().

class __main__.Entry¶

Availability: cluster implementation

See also

scan.Entry

Bundled Implementation¶

`scan` Module¶

scan.scan(local_name: str)¶

Availability: bundled implementation

Parse then start processing of the given file.

See also

scan.process()

scan.lookup(path: str)¶

Availability: bundled implementation

Fetch all extracted files to be processed from the given path.

Parameters: path (str) – Path to extracted files.
Returns: List of extracted files.
Return type: List[str]

`remote` Module¶

Framework Mainloop¶

remote.remote_dump()¶

Availability: bundled implementation

Runtime mainloop for BroAPT-App framework.

The function will start as an indefinite loop to fetch path to extracted files from const.QUEUE_DUMP, and perform scan() on them.

When JOIN_DUMP is set to True, the function will break from the loop.

Signal Handling¶

remote.join_dump(*args, **kwargs)¶

Availability: bundled implementation

Toggle JOIN_DUMP to True.

Note

This function is registered as handler for SIGUSR1`.

remote.JOIN_DUMP = multiprocessing.Value('B', False)¶

Availability: bundled implementation

Flag to stop the remote_dump() background process.

Cluster Implementation¶

__main__.listdir(path: str)¶

Availability: cluster implementation

Fetch and parse all extracted files in the given path.

Parameters: path (str) – Path to extracted files.
Returns: List of parsed entry for extracted files.
Return type: List[Entry]

__main__.check_history()¶

Availability: cluster implementation

Check processed extracted files.

Note

Processed extracted files will be recorded at const.DUMP.

Returns: List of processed extracted files.
Return type: List[str]

__main__.main()¶

Availability: cluster implementation

Run the BroAPT-Core framework.

Returns: Exit code.
Return type: int

See also

__main__.process()

System Entrypoint¶

Constants¶

Dataclasses¶

Bundled Implementation¶

`scan` Module¶

`remote` Module¶

Framework Mainloop¶

Signal Handling¶

Cluster Implementation¶

BroAPT

Navigation

Related Topics

System Entrypoint¶

Constants¶

Dataclasses¶

Bundled Implementation¶

scan Module¶

remote Module¶

Framework Mainloop¶

Signal Handling¶

Cluster Implementation¶

`scan` Module¶

`remote` Module¶