[Bro] about "*.bif files"

Ruoming Pang rpang at CS.Princeton.EDU
Sun Oct 24 00:59:09 PDT 2004


>     Well,a another question:) There are many *.bif files in src 
> directory.I don't know the format and use of these files.Please 
> explain it as possible as detailed.Thanks!

Cliff,

The .bif files contain code of Bro built-in functions ("bif" stands for 
"built-in function"). Built-in functions are implemented in C++ and can 
be called by policy scripts. The bif compiler (bifcl) takes a .bif file 
and generate the corresponding C++ segments and Bro language 
declarations, so that each function only needs be written once in a 
.bif file and the actual C++/Bro code will be automatically generated.

For example, below is the bif code for function byte_len (in bro.bif):

function byte_len%(s: string%): count
         %{
         return new Val(s->Len(), TYPE_COUNT);
         %}

Note that it first starts with a function prototype in Bro language 
(but with %( and %)), and between %{ and %} is the C++ implementation 
of the function. It is translated into the following four pieces by 
bifcl:

1) A Bro prototype in policy/bro.bif.bro (which is loaded in bro.init):

global byte_len: function(s: string): count;

2) A C++ function prototype in bro.bif.func_h:

extern Val* bro_byte_len(val_list*);

3) A C++ function implementation in bro.bif.func_def (included in 
Func.cc)

Val* bro_byte_len(val_list* BiF_ARGS)

#line 432 "bro.bif"
{
         if ( BiF_ARGS->length() != 1 )
                 {
                 run_time("byte_len() takes exactly 1 argument(s)");
                 return 0;
                 }
         BroString* s = (BroString*) ((*BiF_ARGS)[0]->AsString());

#line 432 "bro.bif"

         return new Val(s->Len(), TYPE_COUNT);
         } // end of byte_len

4) Initialization code that associates the C++ function with the name 
"byte_len" in bro.bif.func_init (also included in Func.cc):
         extern Val* bro_byte_len(val_list*);
         (void) new BuiltinFunc(bro_byte_len, "byte_len", 0);

While the bif compiler was originally written for built-in functions 
only, it was later extended to declare events (in event.bif) and 
constants (in const.bif) as well. Three additional files are generated 
for these declarations (.netvar_h, .netvar_def and .netvar_init). How 
it works is quite straightforward once you take a look at these files 
(e.g. for event.bif).

I hope it helps. Please feel free to ask if you have further questions.

Ruoming





More information about the Bro mailing list