[Bro] How to use the table and queue in Bro

Qinwen Hu qhu009 at aucklanduni.ac.nz
Sat Mar 15 00:37:00 PDT 2014

Hi All,

I am a new user for Bro. Recently, I try to use Bro to look at the reverse
lookup searching. Therefore, I would like to save all reverse lookup
packets into a queue or array based on the source address. When the next
income packet arrive, I will check the source address, if I have this
record, then I will compare the current packet with the previous reverse
lookup packets.

I find a example in /dns/main.bro that I can use the table and queue
together. So I have defined my table "checking" in the following structure.

type State: record {
        checking: table[addr] of Queue::Queue;
        finished_answers: set[count];

I also modified bro/base/protocol/dns/main.bro and add my logic inside of
event dns request. I check the DNS query, if the query is reverse lookup
query, I will process the following logic

           if (c$id$orig_h !in c$dns_state$checking)
               c$dns_state$checking[c$id$orig_h] = Queue::init();

           if ( Queue::len(c$dns_state$checking[c$id$orig_h]) !=0)
                local tmpString1 =
                local startIndex = 0;

                ### checking the search pattern

                    startIndex = strstr(tmpString,tmpString1);
                     startIndex = strstr(tmpString1,tmpString);

             Queue::put(c$dns_state$checking[c$id$orig_h], tmpString);

I have a problem in " if (c$id$orig_h !in c$dns_state$checking) ",  I find
for every new reverse lookup request , my code will initiated a new queue.
and the IF condition(  if (c$id$orig_h !in c$dns_state$checking)) hasn't
been applied for my code. because I have some packets from the same source

So, I am confusing, because I have used the source address as a index for
the table, and for every income packet, I will check either I have the
source address in the table or not.

If you have any ideas, could you please let me know? Many thanks for your
time to read my Email.


