[Bro-Dev] #884: Scripting inconsistency in the input framework
Sheharbano Khattak
sheharbano.k at gmail.com
Mon Oct 1 14:05:47 PDT 2012
I have attached the files:
config.txt: the file to be read
config.bro: the file that reads in info from config.txt (plz change
<config_filename> to reflect the path where config.txt is located on your
machine)
test.bro: the file that makes use of the config info in
Config::table_config. (I didn't test this one). Try applying different
functions to_* in bro.bif to the values in Config::table_config and see
what happens. For me, it generated error.
Thanks.
On Tue, Oct 2, 2012 at 1:42 AM, Bro Tracker <bro at tracker.bro-ids.org> wrote:
> #884: Scripting inconsistency in the input framework
> ---------------------------+------------------------
> Reporter: sheharbano.k | Owner: amannb
> Type: Problem | Status: accepted
> Priority: Normal | Milestone: Bro2.2
> Component: Bro | Version: git/master
> Resolution: | Keywords:
> ---------------------------+------------------------
>
> Comment (by amannb):
>
> Sorry, I was not entirely able to reproduce this problem.
>
> If a table is read using the input framework and you use your type (IdxIp)
> as the index type, the resulting table is of type
>
> {{{
> global tb_ip: table[addr] of count;
> }}}
>
> and not of type
>
> {{{
> global tb_ip: table[IdxIp] of count;
> }}}
>
> The index record is just there to give the input framework the information
> about the names of the fields that are present in the input file -- the
> bro table that is constructed will use an IndexType that contains
> everything that was contained in the record in the same order.
>
> Thus if you have a record like
>
> {{{
> type testrecord: record {
> a: addr;
> b: count;
> c: string;
> }
> }}}
>
> the resulting table will be of type
>
> {{{
> table test [addr, count, string] of count;
> }}}
>
> and not of type
>
> {{{
> table test[testrecord] of count;
> }}}
>
> However you should not even have been able to load the data into a table
> with the wrong type -- the input framework should refuse loading data in a
> table with nonmatching index types. And this seemed to work in my tests.
>
> So could you perhaps send me the exact scripts that you are using (or
> attach them here)? Perhaps something else is going on that I am not
> thinking of at the moment.
>
> --
> Ticket URL: <http://tracker.bro-ids.org/bro/ticket/884#comment:2>
> Bro Tracker <http://tracker.bro-ids.org/bro>
> Bro Issue Tracker
>
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0001.html
-------------- next part --------------
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path reporter
#fields parameter value
#types string string
local_net 1.1.1.1/32
th_addr_scan 35
weight_addr_scan 0.8
th_addr_scan_critical 20
weight_addr_scan_critical 1.0
th_port_scan 15
weight_port_scan 0.25
th_low_port_troll 10
weight_low_port_troll 0.5
wnd_addr_scan 5mins
wnd_port_scan 5mins
scan_evaluation_mode OR
th_ssh_login 10
weight_breakin 1.0
wnd_breakin 10mins
wnd_exploit 10mins
weight_exploit_blacklist_match 0.5
exploit_evaluation_mode OR
evaluation_breakin_mode OR
th_disguised_exe 1
weight_disguised_exe 0.8
weight_egg_signature_match 1.0
wnd_egg 10mins
evaluation_mode OR
th_dns_failure 25
weight_dns_failure 0.8
evaluation_mode OR
wnd_cnc 5mins
weight_cnc_blacklist_match 1.0
weight_cnc_blacklist_dns_match 0.5
weight_cnc_signature_match 0.8
weight_rbn_blacklist_match 0.5
th_sqli_attempt 10
wnd_sqli 5mins
weight_sqli 0.5
sqli_evaluation_mode OR
th_mx_queries 5
th_smtp 25
weight_spam_failed_mx 1.0
weight_spam_failed_smtp 0.8
wnd_spam 5mins
spam_evaluation_mode OR
wnd_correlation 12hrs
wnd_bot 1day
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.bro
Type: application/octet-stream
Size: 1506 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0002.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.bro
Type: application/octet-stream
Size: 612 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0003.obj
More information about the bro-dev
mailing list