[Bro] Accessing bro variables in c

Christian Kreibich christian at whoop.org
Thu Jun 16 15:34:31 PDT 2005 

On Thu, 2005-06-16 at 17:02 -0500, Mike Muratet wrote:
>
> Well, maybe. It's printing '??'. '?' is a valid string for this field if I 
> remember the bro manual correctly. I don't see anything in the logs that has 
> protocol information so maybe '?' is what bro thinks. I have seen 'ssh' in 
> bro output when reading tcpdump files, but the '?' could be an artifact 
> here.

Mhmm I'm not sure -- I'll have to test extracting fields from connection
records myself to be sure. It might take me a bit but I'll get back to
you on this.

> Prior to this my entire bro experience was reading tcpdump files and it 
> seems like the interesting info came out on stdout. Maybe I should have 
> redirected stdout when I started bro from the command line? I opted not to 
> send emails when I configured bro, and there's nothing in the reports 
> subdirectory. If I can figure out where the reports are going I'll check to 
> see what bro is writing to the logs. Maybe '?' is the right answer (at least 
> as far as the interface is concerned).

I'd look at the connection summaries created by conn.bro directly. I'm
somewhat sceptical whether ?? is really the output you should get.

> > Also note that strings are actually instances of BroString, so in order
> > to get to the resulting string you want to use
> >
> >  printf("%s event received\n", result->str_val);
> >
> 
> I don't see this field in the on-line manual. Is BroString defined somewhere 
> else?

Try here:

  http://www.cl.cam.ac.uk/~cpk25/broccoli/manual/c86.html#AEN122

I just added a paragraph on how to extract fields from records to the
documentation and put it in CVS. It'll be in the next release and is
essentially what I said in my previous posting.

> Thanks. I'll be glad to get this working.

If everything else works but you just don't seem to get the right values
out of the record fields, you could try creating wrapper events that get
triggered from the event handlers you're actually interested in, but
only have the fields you care about in atomic (non-record) form. That's
exactly the difference between broping.bro and broping-record.bro, btw.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

More information about the Bro mailing list