[Bro-Dev] Introspection: obtaining events and types at startup

Matthias Vallentin vallentin at icir.org
Mon Apr 9 10:51:18 PDT 2012

I would like to dump all events and types at Bro startup. E.g., the
desired output looks somewhat like this:

    type conn_id: record { orig_h: addr, ... }
    type connection: record { id : conn_id, orig: endpoint, ... }
    event new_connection(c : connection)

Two BiFs seem to be very close:

    (1) record_type_to_vector(rt: string): vector of string
        Converts the record type name rt into a vector of strings, where
        each element is the name of a record field. Nested records are

    (2) global_ids(): table[string] of script_id
        Returns a table with information about all global identifiers.
        The table value is a record containing the type name of the
        identifier, whether it is exported, a constant, an enum
        constant, redefinable, and its value (if it has one).

For example,

    bro -e 'event bro_init() { print record_type_to_vector("connection"); }'


    [, id, orig, resp, start_time, duration, service, addl, hot,
history, uid, dpd, conn, extract_orig, extract_resp, dns, dns_state,
ftp, http, http_state, irc, smtp, smtp_state, ssh, ssl, syslog]


    bro -e 'event bro_init() { print global_ids(); }'

returns a list of identifiers. Here are some connection-related ones:
    [connection] = [type_name=record, exported=F, constant=F,
enum_constant=F, redefinable=F, value=<uninitialized>],
    [remote_connection_established] = [type_name=func, exported=T,
constant=T, enum_constant=F, redefinable=F,
    Communication::do_script_log(Communication::p, connection established);
    [lookup_connection] = [type_name=func, exported=T, constant=F,
enum_constant=F, redefinable=F, value=lookup_connection],
    [connection_finished] = [type_name=func, exported=T, constant=T,
enum_constant=F, redefinable=F, value=connection_finished
    [connection_established] = [type_name=func, exported=T,
constant=T, enum_constant=F, redefinable=F,

The problem is that (i) record_type_to_vector flattens nested records,
which makes it impossible to recover the true underlying type structure,
and (ii) events are merely listed as a function, without named

Has anyone come across a similar problem? My hope is to get this
information at the script land, but it looks like the information is not
readily available without tweaking some BiFs.


More information about the bro-dev mailing list