[Bro] Split path into directory and filename

Seth Hall seth at icir.org
Mon Aug 15 06:20:59 PDT 2011

On Aug 13, 2011, at 9:45 PM, Peter Erickson wrote:

> Is there a way use regex to extract portions of a string? I'm trying to
> write a function that accepts a path and breaks it into a directory and
> filename (/tmp/file.txt => [ /tmp, file.txt ]). I would like to do
> something as easy as /(\/.+)/([^\/]+)$/, but am not sure it's possible
> with bro (I wrote the expr quick so there are probably typos).

Nope, Bro's regular expressions don't support captures.  You did it exactly the same way that I would have, by splitting on /\// and taking the last value as the file name and the rest as the path.

> The reason I ask is I'm looking to modify the http/file-extract.bro
> script so that the http responses are saved into a directory structure
> based on the src and dst ip addresses (e.g. http-items/src_ip/dst_ip).

Ah, that's interesting.  We need to rework the way that works to put more control of the file naming in users hands, it's a definite shortcoming in the current iteration.  I'll refactor it a little bit soon so that you can accomplish what you want without having to rewrite bits of functionality. :)

> I plan to modify the generate_extraction_filename to create this path
> and then send the filename to a function to create the directory
> structure. (I know that modifying generate_extraction_filename will have
> adverse affects on other scripts, but I plan to update those as well.)

Yeah, I generally don't like the way I wrote that.  

> function mkdirs(dir: string): bool {

Thanks for this function.  I'll integrate it in some form soon.

Since I see that using the code from the repository, I'd be happy to find how your experience with it has been if you are interested in sharing.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list