[Bro] Documentation about List/Queue/HashMap data structures in Bro
Ruoming Pang
rpang at cs.princeton.edu
Thu May 18 12:15:28 PDT 2006
Hi Abhinay,
> 1) I am trying to correlate traffic in the two directions of a
> connection. I am currently using the "DataSent" method of
> "TCP_Endpoint"
> class to do some processing when data is sent by an endpoint of a
> connection.
For this type of analysis it might be better to write a Bro script
instead of adding code directly to the engine.
TCP_Endpoint::DataSent() corresponds to the event:
event tcp_packet%(c: connection, is_orig: bool, flags: string, seq:
count, ack: count, len: count, payload: string%);
Or if you want reassembled contents:
event tcp_contents%(c: connection, is_orig: bool, seq: count,
contents: string%);
> 2) I need to maintain the different endpoints in some sort of
> ArrayList/HashMap. I observed that there are already some list/queue
> implementations in Bro. Where can I find documentation about using
> these
> data structures regarding available methods / method parameters, etc.
You may use "table" and "set" in the Bro language. Please see scripts
under bro/policy/ for examples.
Ruoming
More information about the Bro
mailing list