From grue at merit.edu  Thu Nov 12 10:32:01 1998
From: grue at merit.edu (Paul Howell)
Date: Thu, 12 Nov 1998 13:32:01 -0500
Subject: just getting started
Message-ID: <199811121832.NAA13651@merit.edu>


Hi,

I'm just getting started with bro.  I have bro-pub-0.5a1 running
on Solaris 2.6.

But I have some questions which are pretty simple.

Where would I find a list of all of the "events" or public functions
which I could use in the scripting language?

Given that I had a list of "events", what are the variables associated
with each event that I can access from a script?

Are there any more scripts available?

I've read the paper so I apologize if these are answered in it (I didn't
see them).

I'd like to start writing my own scripts and want to get upto speed 
on bro asap. 

Thanks.

< paul


From vern at ee.lbl.gov  Thu Nov 12 13:53:09 1998
From: vern at ee.lbl.gov (Vern Paxson)
Date: Thu, 12 Nov 1998 13:53:09 PST
Subject: just getting started
In-Reply-To: Your message of Thu, 12 Nov 1998 13:32:01 EST.
Message-ID: <199811122153.NAA29518@daffy.ee.lbl.gov>

> Where would I find a list of all of the "events" or public functions
> which I could use in the scripting language?

These are listed in pub-policy/bro.init (I know, not at all intuitive).
The next release will have a poiner to that file, and it will be thoroughly
commented to explain each event.

> Given that I had a list of "events", what are the variables associated
> with each event that I can access from a script?

Defined in the same place.  bro.init lists the type signatures of each
event, i.e. the function parameter names and types.

> Are there any more scripts available?

Just those in pub-policy.

> I've read the paper so I apologize if these are answered in it (I didn't
> see them).

They're not; and in any case, I encourage questions, please ask as they arise.

		Vern


From grue at merit.edu  Thu Nov 12 14:02:01 1998
From: grue at merit.edu (Paul Howell)
Date: Thu, 12 Nov 1998 17:02:01 -0500
Subject: just getting started 
In-Reply-To: Your message of Thu, 12 Nov 1998 13:53:09 -0800.
Message-ID: <199811122202.RAA21051@merit.edu>


 > > Where would I find a list of all of the "events" or public functions
 > > which I could use in the scripting language?
 > 
 > These are listed in pub-policy/bro.init (I know, not at all intuitive).
 > The next release will have a poiner to that file, and it will be thoroughly
 > commented to explain each event.

Thanks, I'll take a look.

I noticed that there aren't any references to ICMP, either in the 
source in the .bro's.

Is ICMP supported?  And if not, when?

Thanks.

< Paul


From vern at ee.lbl.gov  Thu Nov 12 15:52:15 1998
From: vern at ee.lbl.gov (Vern Paxson)
Date: Thu, 12 Nov 1998 15:52:15 PST
Subject: just getting started 
In-Reply-To: Your message of Thu, 12 Nov 1998 17:02:01 EST.
Message-ID: <199811122352.PAA00048@daffy.ee.lbl.gov>

> Is ICMP supported?

No.

> And if not, when?

Probably when someone else contributes a module for doing it.  My near-term
Bro development cycles are for adding regular-expression matching.  However,
I'm interested in having ICMP, so will probably work on it in the future if
no one else has done so.

		Vern