[Bro] Accessing bro variables in c

Christian Kreibich christian at whoop.org
Thu Jun 16 11:41:48 PDT 2005


Hi again,

On Thu, 2005-06-16 at 12:11 -0500, Mike Muratet wrote:
> Greetings
> 
> I've run up against another glitch in my efforts to get data out of bro. I 
> am receiving the 'connection_finished' event from the conn.bro policy which 
> sends a  bro type 'connection' record. I am processing the event with the 
> call back method:
> 
> void bro_conn_callback(BroConn* bc, BroRecord* conn)
> {
>     void* result;
>     char* service;
>     bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, result);
>     service = strdup((char*)result);
>     printf("%s event received\n", service);
>     free(service);
> }
> 
> When I ssh into the host machine and exit it triggers the event as it 
> should, but the callback prints out an empty string.

Mhmm does it work when you do this instead:

  BroString *result;
  bro_record_get_named_val(conn, "service", BRO_TYPE_STRING, &result);

http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/broccoli-broccoli.html#BRO-RECORD-GET-NAMED-VAL

Also note that strings are actually instances of BroString, so in order
to get to the resulting string you want to use

  printf("%s event received\n", result->str_val);

I really need to add bro_string_get_data() and bro_string_get_length().

> My experiments with the bro type 'time' variable start_time are equally 
> unsuccessful. Is the type equivalent to the c double, or is it a timestamp 
> structure? (I didn't find it in the bro manual.)

Try similarly to the above code snippet -- pass the address of the
pointer so Broccoli can adjust it to point to the result.

> Am I going about this all wrong?

I'd say you're very close! The record handling stuff is some of the
newest code in Broccoli and could probably be better documented ... Well
done! :)

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org





More information about the Bro mailing list