[Bro] Re-reading data in the input framework

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Fri Jun 29 01:26:09 PDT 2012


Hello,

my tutorial probably was not very clear on this point. The line -- Input::remove("config_stream"); -- removes the input stream after the current input stream operation has been executed. Thus, in your script the input stream is closed right after the file has been read for the first time. After the stream is closed, changes to the input file will not be reflected in Bro, no matter the mode you chose.

Removing that single line should fix the problem :)

Bernhard

On Jun 28, 2012, at 11:47 PM, Sheharbano Khattak wrote:

> Hi,
> 
> I want to test if a table that holds data from an input source file with the automatic refresh mode "REREAD" reflects changes applied to the source file. This is what my file looks like
> 
> -----------------------------config.bro---------------------------------
> module Config;
> 
> type Idx: record {
>         parameter: string;
> };
> 
> type Val: record {
>         value: string;
> };
> 
> export {
>     global table_config: table[string] of Val;
> }
> 
> global config_filename = "/usr/local/bro/share/bro/site/botflex/config.txt";
> 
> event bro_init() &priority=20
>     {
>     Input::add_table([$source=config_filename, $name="config_stream", $idx=Idx, 
>               $val=Val, $destination=table_config, $mode=Input::REREAD]);
>     Input::remove("config_stream");
>     }
> 
> event Input::update_finished(name: string, source: string) 
>     {
>     # now all data is in the table
>     print "Updated";
>     print table_config;
>     }
> 
> event bro_done()
>     {
>     print "Ending";
>     print table_config;
>     }
> -------------------------------------------------------------------------------------------------------
> 
> I do bro -i eth0 config.bro. The first time, the event  Input::update_finished is triggered with the values/indices defined in config.txt.
> Then i manually make some changes in config.txt and save the changes but Input::update_finished is not triggered. After waiting for several minutes, i ctrl+c Bro hoping to see the modification in table_config, still it shows the old values. There is nothing interesting in reporter.log either. What am i doing wrong?
> 
> Thanks.
> -- 
> Sheharbano Khattak
> 
> http://etheryell.com
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/3a080ab9/attachment.html 


More information about the Bro mailing list