[Bro] about "*.bif files"
Ruoming Pang
rpang at CS.Princeton.EDU
Sun Oct 24 00:59:09 PDT 2004
> Well,a another question:) There are many *.bif files in src
> directory.I don't know the format and use of these files.Please
> explain it as possible as detailed.Thanks!
Cliff,
The .bif files contain code of Bro built-in functions ("bif" stands for
"built-in function"). Built-in functions are implemented in C++ and can
be called by policy scripts. The bif compiler (bifcl) takes a .bif file
and generate the corresponding C++ segments and Bro language
declarations, so that each function only needs be written once in a
.bif file and the actual C++/Bro code will be automatically generated.
For example, below is the bif code for function byte_len (in bro.bif):
function byte_len%(s: string%): count
%{
return new Val(s->Len(), TYPE_COUNT);
%}
Note that it first starts with a function prototype in Bro language
(but with %( and %)), and between %{ and %} is the C++ implementation
of the function. It is translated into the following four pieces by
bifcl:
1) A Bro prototype in policy/bro.bif.bro (which is loaded in bro.init):
global byte_len: function(s: string): count;
2) A C++ function prototype in bro.bif.func_h:
extern Val* bro_byte_len(val_list*);
3) A C++ function implementation in bro.bif.func_def (included in
Func.cc)
Val* bro_byte_len(val_list* BiF_ARGS)
#line 432 "bro.bif"
{
if ( BiF_ARGS->length() != 1 )
{
run_time("byte_len() takes exactly 1 argument(s)");
return 0;
}
BroString* s = (BroString*) ((*BiF_ARGS)[0]->AsString());
#line 432 "bro.bif"
return new Val(s->Len(), TYPE_COUNT);
} // end of byte_len
4) Initialization code that associates the C++ function with the name
"byte_len" in bro.bif.func_init (also included in Func.cc):
extern Val* bro_byte_len(val_list*);
(void) new BuiltinFunc(bro_byte_len, "byte_len", 0);
While the bif compiler was originally written for built-in functions
only, it was later extended to declare events (in event.bif) and
constants (in const.bif) as well. Three additional files are generated
for these declarations (.netvar_h, .netvar_def and .netvar_init). How
it works is quite straightforward once you take a look at these files
(e.g. for event.bif).
I hope it helps. Please feel free to ask if you have further questions.
Ruoming
More information about the Bro
mailing list