[Bro-Dev] #884: Scripting inconsistency in the input framework

Sheharbano Khattak sheharbano.k at gmail.com
Mon Oct 1 14:05:47 PDT 2012 

I have attached the files:

config.txt: the file to be read

config.bro: the file that reads in info from config.txt (plz change
<config_filename> to reflect the path where config.txt is located on your
machine)

test.bro: the file that makes use of the config info in
Config::table_config. (I didn't test this one). Try applying different
functions to_* in bro.bif to the values in Config::table_config and see
what happens. For me, it generated error.

Thanks.

On Tue, Oct 2, 2012 at 1:42 AM, Bro Tracker <bro at tracker.bro-ids.org> wrote:

> #884: Scripting inconsistency in the input framework
> ---------------------------+------------------------
>   Reporter:  sheharbano.k  |      Owner:  amannb
>       Type:  Problem       |     Status:  accepted
>   Priority:  Normal        |  Milestone:  Bro2.2
>  Component:  Bro           |    Version:  git/master
> Resolution:                |   Keywords:
> ---------------------------+------------------------
>
> Comment (by amannb):
>
>  Sorry, I was not entirely able to reproduce this problem.
>
>  If a table is read using the input framework and you use your type (IdxIp)
>  as the index type, the resulting table is of type
>
>  {{{
>  global tb_ip: table[addr] of count;
>  }}}
>
>  and not of type
>
>  {{{
>  global tb_ip: table[IdxIp] of count;
>  }}}
>
>  The index record is just there to give the input framework the information
>  about the names of the fields that are present in the input file -- the
>  bro table that is constructed will use an IndexType that contains
>  everything that was contained in the record in the same order.
>
>  Thus if you have a record like
>
>  {{{
>  type testrecord: record {
>     a: addr;
>     b: count;
>     c: string;
>  }
>  }}}
>
>  the resulting table will be of type
>
>  {{{
>   table test [addr, count, string] of count;
>  }}}
>
>  and not of type
>
>  {{{
>   table test[testrecord] of count;
>  }}}
>
>  However you should not even have been able to load the data into a table
>  with the wrong type -- the input framework should refuse loading data in a
>  table with nonmatching index types. And this seemed to work in my tests.
>
>  So could you perhaps send me the exact scripts that you are using (or
>  attach them here)? Perhaps something else is going on that I am not
>  thinking of at the moment.
>
> --
> Ticket URL: <http://tracker.bro-ids.org/bro/ticket/884#comment:2>
> Bro Tracker <http://tracker.bro-ids.org/bro>
> Bro Issue Tracker
>



-- 
Sheharbano Khattak

http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0001.html 
-------------- next part --------------
#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	reporter
#fields	parameter	value
#types	string	string
local_net	1.1.1.1/32
th_addr_scan	35
weight_addr_scan	0.8
th_addr_scan_critical	20
weight_addr_scan_critical	1.0
th_port_scan	15
weight_port_scan	0.25
th_low_port_troll	10
weight_low_port_troll	0.5
wnd_addr_scan	5mins 
wnd_port_scan	5mins
scan_evaluation_mode	OR
th_ssh_login	10
weight_breakin	1.0
wnd_breakin	10mins
wnd_exploit	10mins
weight_exploit_blacklist_match	0.5
exploit_evaluation_mode	OR
evaluation_breakin_mode	OR
th_disguised_exe	1
weight_disguised_exe	0.8
weight_egg_signature_match	1.0
wnd_egg	10mins
evaluation_mode	OR
th_dns_failure	25
weight_dns_failure	0.8
evaluation_mode	OR
wnd_cnc	5mins
weight_cnc_blacklist_match	1.0
weight_cnc_blacklist_dns_match	0.5
weight_cnc_signature_match	0.8
weight_rbn_blacklist_match	0.5
th_sqli_attempt	10
wnd_sqli	5mins
weight_sqli	0.5
sqli_evaluation_mode	OR
th_mx_queries	5
th_smtp	25
weight_spam_failed_mx	1.0
weight_spam_failed_smtp	0.8
wnd_spam	5mins
spam_evaluation_mode	OR
wnd_correlation	12hrs
wnd_bot	1day
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.bro
Type: application/octet-stream
Size: 1506 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.bro
Type: application/octet-stream
Size: 612 bytes
Desc: not available
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20121002/e7f6bf34/attachment-0003.obj

More information about the bro-dev mailing list