[Bro] Playing with the input framework

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Thu Jun 28 12:14:03 PDT 2012


Hello Sheharabano,

I just tried your example and it seems to work fine. Please note that the fields in the file "bl.txt" need to be separated with tabulators - including the header lines. If you simply copied the example from the website it probably ended up being separated with spaces.

The input frameworks outputs error messages. These are written into the file reporter.log (where most Bro error messages end up).

If the file contains a line that looks like 
"Reporter::ERROR	InputReader/bl.txt: Not enough fields in line…" 
the framework is complaining about missing tabulators-fields (because it is not finding enough tab-separated entries in the line it read).

I hope that helps - if it still does not solve your problem please write again.

Bernhard


On Jun 28, 2012, at 12:06 PM, Sheharbano Khattak wrote:

> Hi,
> 
> I recently finished reading about the new input framework http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it very interesting. As a first step, i tried implementing the example about reading data into tables mentioned here http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html. My bro and source blacklist file look like this:
> 
> ---------------------------------try.bro----------------------------------------------
> module Try;
> 
> type Idx: record {
>         ip: addr;
> };
> 
> type Val: record {
>         timestamp: time;
>         reason: string;
> };
> 
> global blacklist: table[addr] of Val = table();
> 
> event bro_init() 
>     {
>     print "hello";
>     Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx, $val=Val, $destination=Try::blacklist]);
>     Input::remove("bl_stream");    
>     print "bye";
>     }
> 
> event Input::update_finished(name: string, source: string) 
>     {
>         # now all data is in the table
>     print "Updated";
>         print Try::blacklist;
>     }
> 
> ----------------------------bl.txt---------------------------------------------
> 
> #fields ip    timestamp    reason
> #types    addr    time    string
> 192.168.17.1    1333252748    Malware host
> 192.168.27.2    1330235733    Botnet server
> 192.168.250.3    1333145108    Virus detected
> 
> ---------------------------------------------------------------------------------
> Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To provide ample time for reading in the blacklist, i tried "bro -i eth0 try.bro". The output displays hello and bye but the blacklist wasn't printed even after 5 minutes. I tried giving the absolute source path i.e. "/home/myname/bl.txt" but to no avail. 
> 
> Moreover, i purposely gave a wrong input source file and no error was displayed. I feel an appropriate error message will be helpful if someone has mistyped the source file name or if it doesn't exist. 
> 
> Regards,
> -- 
> Sheharbano Khattak
> 
> http://etheryell.com
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120628/8656c37f/attachment.html 


More information about the Bro mailing list