[Bro-Dev] How to use Broker::Data in an event handler?
Jon Siwek
jsiwek at corelight.com
Mon Sep 10 13:20:24 PDT 2018
On Mon, Sep 10, 2018 at 8:01 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> I'm trying to figure out if/how it is possible to use Broker::Data in an
> event handler as follows:
>
> event foo(x: Broker::Data)
> {
> print x;
> }
No, but you can try to use 'any' instead of 'Broker::Data'. Examples/ideas:
# Bro code
type myvec: vector of any;
type myrec: record {
a: string &optional;
b: count &optional;
c: int &optional;
};
event bar(x: any)
{
switch ( x ) {
case type myrec as r:
print "record", r;
break;
case type string as s:
print "string", s;
break;
case type int as i:
print "int", i;
break;
case type count as c:
print "count", c;
break;
case type myvec as v:
{
print "vector", v;
for ( i in v )
event bar(v[i]);
}
break;
default:
print "got unknown type", x;
break;
}
}
# Python code
endpoint.publish("/test", broker.bro.Event("bar", "one"))
endpoint.publish("/test", broker.bro.Event("bar", 2))
endpoint.publish("/test", broker.bro.Event("bar", broker.Count(3)))
endpoint.publish("/test", broker.bro.Event("bar",
["one", "two", broker.Count(3)]))
endpoint.publish("/test", broker.bro.Event("bar",
["one", None, None]))
> The use case for having a Broker::Data in the Bro event handler is that
> the structure of the data is varying at runtime (similar to JSON).
Should be the same idea if you use the 'any' type along with
appropriate type checking/casting.
> (The code is a slightly adapted version from
> https://github.com/bro/broker/issues/11.)
This, plus a couple other bugs should now be fixed in bro + broker, so
make sure to update both if trying the above examples.
- Jon
On Mon, Sep 10, 2018 at 8:01 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> I'm trying to figure out if/how it is possible to use Broker::Data in an
> event handler as follows:
>
> event foo(x: Broker::Data)
> {
> print x;
> }
>
> I'm trying to send an event via the Python bindings:
>
> event = broker.bro.Event("foo", broker.Data(42))
> endpoint.publish("/test", event)
>
> However, Bro complains:
>
> warning: failed to convert remote event 'foo' arg #0, got integer, expected record
>
> I tried both
>
> event = broker.bro.Event("foo", 42)
>
> and a wrapped version
>
> event = broker.bro.Event("foo", broker.Data(42))
>
> and even
>
> event = broker.bro.Event("foo", broker.Data(broker.Data(42)))
>
> but it seems that nesting is not possible.
>
> The use case for having a Broker::Data in the Bro event handler is that
> the structure of the data is varying at runtime (similar to JSON).
>
> Matthias
>
> (The code is a slightly adapted version from
> https://github.com/bro/broker/issues/11.)
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
More information about the bro-dev
mailing list