[Bro] Playing with the input framework
Sheharbano Khattak
sheharbano.k at gmail.com
Thu Jun 28 12:06:29 PDT 2012
Hi,
I recently finished reading about the new input framework
http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it
very interesting. As a first step, i tried implementing the example about
reading data into tables mentioned here
http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html.
My bro and source blacklist file look like this:
---------------------------------try.bro----------------------------------------------
module Try;
type Idx: record {
ip: addr;
};
type Val: record {
timestamp: time;
reason: string;
};
global blacklist: table[addr] of Val = table();
event bro_init()
{
print "hello";
Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx,
$val=Val, $destination=Try::blacklist]);
Input::remove("bl_stream");
print "bye";
}
event Input::update_finished(name: string, source: string)
{
# now all data is in the table
print "Updated";
print Try::blacklist;
}
----------------------------bl.txt---------------------------------------------
#fields ip timestamp reason
#types addr time string
192.168.17.1 1333252748 Malware host
192.168.27.2 1330235733 Botnet server
192.168.250.3 1333145108 Virus detected
---------------------------------------------------------------------------------
Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To
provide ample time for reading in the blacklist, i tried "bro -i eth0
try.bro". The output displays hello and bye but the blacklist wasn't
printed even after 5 minutes. I tried giving the absolute source path i.e.
"/home/myname/bl.txt" but to no avail.
Moreover, i purposely gave a wrong input source file and no error was
displayed. I feel an appropriate error message will be helpful if someone
has mistyped the source file name or if it doesn't exist.
Regards,
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/2dc5a767/attachment.html
More information about the Bro
mailing list