[Bro] Re-reading data in the input framework

Fri Jun 29 01:45:51 PDT 2012

Thanks. I thought it creates a new stream for each read/remove. From your
answer, it appears that each source with REREAD mode gets a dedicated
stream that exists as long as Bro runs.

Regards,

On Fri, Jun 29, 2012 at 1:26 AM, Bernhard Amann
<bernhard at icsi.berkeley.edu>wrote:

> Hello,
>
> my tutorial probably was not very clear on this point. The line
> -- Input::remove("config_stream"); -- removes the input stream after the
> current input stream operation has been executed. Thus, in your script the
> input stream is closed right after the file has been read for the first
> time. After the stream is closed, changes to the input file will not be
> reflected in Bro, no matter the mode you chose.
>
> Removing that single line should fix the problem :)
>
> Bernhard
>
> On Jun 28, 2012, at 11:47 PM, Sheharbano Khattak wrote:
>
> Hi,
>
> I want to test if a table that holds data from an input source file with
> the automatic refresh mode "REREAD" reflects changes applied to the source
> file. This is what my file looks like
>
> -----------------------------config.bro---------------------------------
> module Config;
>
> type Idx: record {
>         parameter: string;
> };
>
> type Val: record {
>         value: string;
> };
>
> export {
>     global table_config: table[string] of Val;
> }
>
> global config_filename =
> "/usr/local/bro/share/bro/site/botflex/config.txt";
>
> event bro_init() &priority=20
>     {
>     Input::add_table([$source=config_filename, $name="config_stream",
> $idx=Idx,
>               $val=Val, $destination=table_config, $mode=Input::REREAD]);
>     Input::remove("config_stream");
>     }
>
> event Input::update_finished(name: string, source: string)
>     {
>     # now all data is in the table
>     print "Updated";
>     print table_config;
>     }
>
> event bro_done()
>     {
>     print "Ending";
>     print table_config;
>     }
>
> -------------------------------------------------------------------------------------------------------
>
> I do bro -i eth0 config.bro. The first time, the event
> Input::update_finished is triggered with the values/indices defined in
> config.txt.
> Then i manually make some changes in config.txt and save the changes but
> Input::update_finished is not triggered. After waiting for several minutes,
> i ctrl+c Bro hoping to see the modification in table_config, still it shows
> the old values. There is nothing interesting in reporter.log either. What
> am i doing wrong?
>
> Thanks.
> --
> Sheharbano Khattak
>
> http://etheryell.com
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>

-- 
Sheharbano Khattak

http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120629/259c99ec/attachment.html 