[Bro] Playing with the input framework

Sheharbano Khattak sheharbano.k at gmail.com
Thu Jun 28 12:06:29 PDT 2012 

Hi,

I recently finished reading about the new input framework
http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it
very interesting. As a first step, i tried implementing the example about
reading data into tables mentioned here
http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html.
My bro and source blacklist file look like this:

---------------------------------try.bro----------------------------------------------
module Try;

type Idx: record {
        ip: addr;
};

type Val: record {
        timestamp: time;
        reason: string;
};

global blacklist: table[addr] of Val = table();

event bro_init()
    {
    print "hello";
    Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx,
$val=Val, $destination=Try::blacklist]);
    Input::remove("bl_stream");
    print "bye";
    }

event Input::update_finished(name: string, source: string)
    {
        # now all data is in the table
    print "Updated";
        print Try::blacklist;
    }

----------------------------bl.txt---------------------------------------------

#fields ip    timestamp    reason
#types    addr    time    string
192.168.17.1    1333252748    Malware host
192.168.27.2    1330235733    Botnet server
192.168.250.3    1333145108    Virus detected

---------------------------------------------------------------------------------
Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To
provide ample time for reading in the blacklist, i tried "bro -i eth0
try.bro". The output displays hello and bye but the blacklist wasn't
printed even after 5 minutes. I tried giving the absolute source path i.e.
"/home/myname/bl.txt" but to no avail.

Moreover, i purposely gave a wrong input source file and no error was
displayed. I feel an appropriate error message will be helpful if someone
has mistyped the source file name or if it doesn't exist.

Regards,
-- 
Sheharbano Khattak

http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/2dc5a767/attachment.html

More information about the Bro mailing list