[Bro] Playing with the input framework
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Thu Jun 28 12:32:16 PDT 2012
Nearly everything ends up in reporter.log.
The only things (I know of) that are directly reported to the command line are fatal errors like wrong command line switches or syntax errors in scripts that are encountered while parsing them.
Bernhard
On Jun 28, 2012, at 12:28 PM, Sheharbano Khattak wrote:
> Thank you. Indeed there was a tabulation problem. On a side note, how do you decide which errors are directed to the console and which ones are reported in reporter.log ?
>
> Regards,
>
> On Fri, Jun 29, 2012 at 12:14 AM, Bernhard Amann <bernhard at icsi.berkeley.edu> wrote:
> Hello Sheharabano,
>
> I just tried your example and it seems to work fine. Please note that the fields in the file "bl.txt" need to be separated with tabulators - including the header lines. If you simply copied the example from the website it probably ended up being separated with spaces.
>
> The input frameworks outputs error messages. These are written into the file reporter.log (where most Bro error messages end up).
>
> If the file contains a line that looks like
> "Reporter::ERROR InputReader/bl.txt: Not enough fields in line…"
> the framework is complaining about missing tabulators-fields (because it is not finding enough tab-separated entries in the line it read).
>
> I hope that helps - if it still does not solve your problem please write again.
>
> Bernhard
>
>
> On Jun 28, 2012, at 12:06 PM, Sheharbano Khattak wrote:
>
>> Hi,
>>
>> I recently finished reading about the new input framework http://www.icsi.berkeley.edu/~bernhard/papers/loneWolf.pdf and found it very interesting. As a first step, i tried implementing the example about reading data into tables mentioned here http://blog.bro-ids.org/2012/06/upcoming-loading-data-into-bro-with.html. My bro and source blacklist file look like this:
>>
>> ---------------------------------try.bro----------------------------------------------
>> module Try;
>>
>> type Idx: record {
>> ip: addr;
>> };
>>
>> type Val: record {
>> timestamp: time;
>> reason: string;
>> };
>>
>> global blacklist: table[addr] of Val = table();
>>
>> event bro_init()
>> {
>> print "hello";
>> Input::add_table([$source="bl.txt", $name="bl_stream", $idx=Idx, $val=Val, $destination=Try::blacklist]);
>> Input::remove("bl_stream");
>> print "bye";
>> }
>>
>> event Input::update_finished(name: string, source: string)
>> {
>> # now all data is in the table
>> print "Updated";
>> print Try::blacklist;
>> }
>>
>> ----------------------------bl.txt---------------------------------------------
>>
>> #fields ip timestamp reason
>> #types addr time string
>> 192.168.17.1 1333252748 Malware host
>> 192.168.27.2 1330235733 Botnet server
>> 192.168.250.3 1333145108 Virus detected
>>
>> ---------------------------------------------------------------------------------
>> Initially, i tried "bro -r file.pcap try.bro" but it didn't work. To provide ample time for reading in the blacklist, i tried "bro -i eth0 try.bro". The output displays hello and bye but the blacklist wasn't printed even after 5 minutes. I tried giving the absolute source path i.e. "/home/myname/bl.txt" but to no avail.
>>
>> Moreover, i purposely gave a wrong input source file and no error was displayed. I feel an appropriate error message will be helpful if someone has mistyped the source file name or if it doesn't exist.
>>
>> Regards,
>> --
>> Sheharbano Khattak
>>
>> http://etheryell.com
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> --
> Sheharbano Khattak
>
> http://etheryell.com
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120628/ed611d24/attachment.html
More information about the Bro
mailing list