[Bro] Using create_expire and expire_func
Sheharbano Khattak
sheharbano.k at gmail.com
Thu Apr 5 23:41:36 PDT 2012
Dear Bro Team,
I have a global table that i populate at the time of initialization
(bro_init). I want to empty it every x minutes to fill it up with fresh
values. This means that i also need to be notified when the table is being
emptied. It seems to me that the attributes &create_expire and &expire_func
will be helpful for my requirements. I wrote a quick script to check if the
behavior matches my expectation. However, it doesn't seems to work as
expected. Here is my script:
in try.bro:
-----------------------------------------------------------------------------
function inform_me(s: set[string], idx: any): interval
{
print "expired";
return 5secs;
}
global s: set[string] &create_expire=5secs &expire_func=inform_me;
event bro_init()
{
add s["i"];
add s["am"];
add s["here"];
#s should have i,am,here
print s;
sleep(15);
#s should be empty
print s;
}
----------------------------------------------------------------------------
in bro.bif
-----------------------------------------------------------------------------
function sleep%(time_secs: count%): any
%{
usleep(time_secs * 1000000);
return 0;
%}
------------------------------------------------------------------------------
OUTPUT
-----------------------------------------------------------------------------
root at sheharbano-Inspiron-N5010:/home/sheharbano/Desktop# bro tryy.bro
{
here,
i,
am
}
{
here,
i,
am
}
-----------------------------------------------------------------------------------
Why isn't 's' empty on second print?
Regards,
--
Sheharbano Khattak
Research Assistant @ NUST, Pakistan.
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120406/7286097e/attachment.html
More information about the Bro
mailing list