[Bro] Playing with the input framework

Sheharbano Khattak sheharbano.k at gmail.com
Thu Jun 28 12:06:29 PDT 2012


I recently finished reading about the new input framework
http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it
very interesting. As a first step, i tried implementing the example about
reading data into tables mentioned here
My bro and source blacklist file look like this:

module Try;

type Idx: record {
        ip: addr;

type Val: record {
        timestamp: time;
        reason: string;

global blacklist: table[addr] of Val = table();

event bro_init()
    print "hello";
    Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx,
$val=Val, $destination=Try::blacklist]);
    print "bye";

event Input::update_finished(name: string, source: string)
        # now all data is in the table
    print "Updated";
        print Try::blacklist;


#fields ip    timestamp    reason
#types    addr    time    string    1333252748    Malware host    1330235733    Botnet server    1333145108    Virus detected

Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To
provide ample time for reading in the blacklist, i tried "bro -i eth0
try.bro". The output displays hello and bye but the blacklist wasn't
printed even after 5 minutes. I tried giving the absolute source path i.e.
"/home/myname/bl.txt" but to no avail.

Moreover, i purposely gave a wrong input source file and no error was
displayed. I feel an appropriate error message will be helpful if someone
has mistyped the source file name or if it doesn't exist.

Sheharbano Khattak

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/2dc5a767/attachment.html 

More information about the Bro mailing list