[Bro] xml / json parsers
Robin Sommer
robin at icir.org
Tue Jan 12 10:01:17 PST 2010
On Mon, Jan 11, 2010 at 17:29 -0500, you wrote:
> Has anyone out there written a generic xml and/or json parser for
> Bro?
Hi Dan,
yes and no. "No" because not in the traditional sense of manually
writing a parser. "Yes" because there's what I think is a very cool
piece for analyzing XML: we have an exerimental analyzer that
performs live xqueries: it looks for XML documents going over there
wire and then performs customizable queries to extract interesting
stuff; the results of the queries are then *automatically* turned
into events, for which which you can then write Bro script handlers
for further processing.
If you want to give it a try, you can find the analyzer in my work
branch (see CHANGES.features there). It is however indeed quite
experimental. The basic functionality is there and should be
working[1] but the main open question is performance: I have no idea
whether the XML libraries it uses are sufficientlt efficient for
realistic online operation. Nobody has really looked into that yet.
(The analyzer doens't have a maintainer anymore as the person who
wrote it has moved on to other things).
Robin
[1] Hhaven't tried it in a while though; it pulls in these huge XML
libraries, and I remember some trouble gettting it to compile with
updated versions; that might take a few cycles again assuming
further library updates have come out in the meantime.
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list