[Bro] Using create_expire and expire_func
Siwek, Jonathan Luke
jsiwek at illinois.edu
Fri Apr 6 11:55:20 PDT 2012
Hi Sheharbano,
I inlined some notes:
> in try.bro:
> -----------------------------------------------------------------------------
> function inform_me(s: set[string], idx: any): interval
> {
> print "expired";
> return 5secs;
> }
The return value of an &expire_func indicates the amount of additional time to wait before expiring the element. So always returning "5secs" will never expire the element. Return "0secs" if you want the element removed automatically, or you could even "delete s[idx]" yourself.
> global s: set[string] &create_expire=5secs &expire_func=inform_me;
>
>
>
> event bro_init()
> {
>
> add s["i"];
> add s["am"];
> add s["here"];
>
> #s should have i,am,here
> print s;
>
> sleep(15);
>
> #s should be empty
> print s;
> }
> ----------------------------------------------------------------------------
> in bro.bif
> -----------------------------------------------------------------------------
> function sleep%(time_secs: count%): any
> %{
> usleep(time_secs * 1000000);
> return 0;
> %}
The sleep BIF you added doesn't look like it's enough to trigger the internal timers that Bro would use for table expiration, or at least I couldn't find a way, but reading input from a pcap file that captured traffic for longer than your expiration interval could allow you to test it. You could handle the "new_connection" event and check the contents of your global table there.
I did find a bug for the case when reading input live from an interface that would prevent expiry of table values set in bro_init(), for which I committed a fix in the git fastpath branch. Also in fastpath, I made a test script you could refer to: testing/btest/language/expire_func.test.
+Jon
More information about the Bro
mailing list