[Bro] Playing with the input framework

Sheharbano Khattak sheharbano.k at gmail.com
Thu Jun 28 12:28:33 PDT 2012 

Thank you. Indeed there was a tabulation problem. On a side note, how do
you decide which errors are directed to the console and which ones are
reported in reporter.log ?

Regards,

On Fri, Jun 29, 2012 at 12:14 AM, Bernhard Amann <bernhard at icsi.berkeley.edu
> wrote:

> Hello Sheharabano,
>
> I just tried your example and it seems to work fine. Please note that the
> fields in the file "bl.txt" need to be separated with tabulators -
> including the header lines. If you simply copied the example from the
> website it probably ended up being separated with spaces.
>
> The input frameworks outputs error messages. These are written into the
> file reporter.log (where most Bro error messages end up).
>
> If the file contains a line that looks like
> "Reporter::ERROR InputReader/bl.txt: Not enough fields in line…"
> the framework is complaining about missing tabulators-fields (because it
> is not finding enough tab-separated entries in the line it read).
>
> I hope that helps - if it still does not solve your problem please write
> again.
>
> Bernhard
>
>
> On Jun 28, 2012, at 12:06 PM, Sheharbano Khattak wrote:
>
> Hi,
>
> I recently finished reading about the new input framework
> http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it
> very interesting. As a first step, i tried implementing the example about
> reading data into tables mentioned here
> http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html.
> My bro and source blacklist file look like this:
>
>
> ---------------------------------try.bro----------------------------------------------
> module Try;
>
> type Idx: record {
>         ip: addr;
> };
>
> type Val: record {
>         timestamp: time;
>         reason: string;
> };
>
> global blacklist: table[addr] of Val = table();
>
> event bro_init()
>     {
>     print "hello";
>     Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx,
> $val=Val, $destination=Try::blacklist]);
>     Input::remove("bl_stream");
>     print "bye";
>     }
>
> event Input::update_finished(name: string, source: string)
>     {
>         # now all data is in the table
>     print "Updated";
>         print Try::blacklist;
>     }
>
>
> ----------------------------bl.txt---------------------------------------------
>
> #fields ip    timestamp    reason
> #types    addr    time    string
> 192.168.17.1    1333252748    Malware host
> 192.168.27.2    1330235733    Botnet server
> 192.168.250.3    1333145108    Virus detected
>
>
> ---------------------------------------------------------------------------------
> Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To
> provide ample time for reading in the blacklist, i tried "bro -i eth0
> try.bro". The output displays hello and bye but the blacklist wasn't
> printed even after 5 minutes. I tried giving the absolute source path i.e.
> "/home/myname/bl.txt" but to no avail.
>
> Moreover, i purposely gave a wrong input source file and no error was
> displayed. I feel an appropriate error message will be helpful if someone
> has mistyped the source file name or if it doesn't exist.
>
> Regards,
> --
> Sheharbano Khattak
>
> http://etheryell.com
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>


-- 
Sheharbano Khattak

http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/a7e0d2fa/attachment.html

More information about the Bro mailing list