[Bro-Dev] How to use Broker::Data in an event handler?

Jon Siwek jsiwek at corelight.com
Mon Sep 10 13:20:24 PDT 2018


On Mon, Sep 10, 2018 at 8:01 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> I'm trying to figure out if/how it is possible to use Broker::Data in an
> event handler as follows:
>
>     event foo(x: Broker::Data)
>       {
>       print x;
>       }

No, but you can try to use 'any' instead of 'Broker::Data'.  Examples/ideas:

# Bro code

type myvec: vector of any;

type myrec: record {
    a: string &optional;
    b: count &optional;
    c: int &optional;
};

event bar(x: any)
    {
    switch ( x ) {
    case type myrec as r:
        print "record", r;
        break;
    case type string as s:
        print "string", s;
        break;
    case type int as i:
        print "int", i;
        break;
    case type count as c:
        print "count", c;
        break;
    case type myvec as v:
        {
        print "vector", v;

        for ( i in v )
            event bar(v[i]);
        }
        break;
    default:
        print "got unknown type", x;
        break;
    }
}

# Python code

endpoint.publish("/test", broker.bro.Event("bar", "one"))
endpoint.publish("/test", broker.bro.Event("bar", 2))
endpoint.publish("/test", broker.bro.Event("bar", broker.Count(3)))
endpoint.publish("/test", broker.bro.Event("bar",
        ["one", "two", broker.Count(3)]))
endpoint.publish("/test", broker.bro.Event("bar",
        ["one", None, None]))

> The use case for having a Broker::Data in the Bro event handler is that
> the structure of the data is varying at runtime (similar to JSON).

Should be the same idea if you use the 'any' type along with
appropriate type checking/casting.

> (The code is a slightly adapted version from
> https://github.com/bro/broker/issues/11.)

This, plus a couple other bugs should now be fixed in bro + broker, so
make sure to update both if trying the above examples.

- Jon
On Mon, Sep 10, 2018 at 8:01 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> I'm trying to figure out if/how it is possible to use Broker::Data in an
> event handler as follows:
>
>     event foo(x: Broker::Data)
>       {
>       print x;
>       }
>
> I'm trying to send an event via the Python bindings:
>
>     event = broker.bro.Event("foo", broker.Data(42))
>     endpoint.publish("/test", event)
>
> However, Bro complains:
>
>     warning: failed to convert remote event 'foo' arg #0, got integer, expected record
>
> I tried both
>
>     event = broker.bro.Event("foo", 42)
>
> and a wrapped version
>
>     event = broker.bro.Event("foo", broker.Data(42))
>
> and even
>
>     event = broker.bro.Event("foo", broker.Data(broker.Data(42)))
>
> but it seems that nesting is not possible.
>
> The use case for having a Broker::Data in the Bro event handler is that
> the structure of the data is varying at runtime (similar to JSON).
>
>     Matthias
>
> (The code is a slightly adapted version from
> https://github.com/bro/broker/issues/11.)
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev


More information about the bro-dev mailing list