[Bro] problem with &expire_func

Vern Paxson vern at icir.org
Thu Feb 10 12:49:11 PST 2005


> > global mytable: table[addr] of bool &write_expire=10sec &expire_func=myfunc;
> > 
> > function myfunc(t: table[addr] of bool , idx: any): interval {
> >     local srcIP: addr;
> >     
>  >     print network_time(),"help!!!";
> >     [srcIP] = idx;
> > 
> >     return 0secs;
> > }

The problem here is that if there's just a single index, it's transmitted
in the call to the expire_func as its own type rather than as a combo "any"
type.  So you need to instead use:

	function myfunc(t: table[addr] of bool , idx: addr): interval {
		local srcIP: addr;
		srcIP = idx;
		return 0secs;
	}

(Or "local srcIP = idx", or just use idx directly in the function.)

Bro shouldn't of course crash for the example above as you gave it.
I've entered fixing this into the bug-tracker, but using the type directly
as I show is the proper way to do this (i.e., not merely a workaround).

		Vern



More information about the Bro mailing list