[Bro] Load Single Column Table with Input Framework
Chris Crawford
christopher.p.crawford at gmail.com
Wed Nov 6 09:51:28 PST 2013
I'm following the tutorial on the input framework:
http://www.bro.org/sphinx/input.html
Everything works great. But, if my blacklist is only one column (i.e. I
remove the other columns so that I'm only left with the "ip" column), I run
into issues.
The docs for Input::add_table say that val is optional:
<quote>
val: any &optional
Record that defines the values used as the elements of the table If val is
undefined, destination has to be a set.
</quote>
So, I fixed my script to look like this:
<new_script>
type Idx: record {
ip: addr;
};
global blacklist: set[addr];
event bro_init() {
Input::add_table([$source="blacklist.file", $name="blacklist",
$idx=Idx, $destination=blacklist]);
print(|blacklist|);
Input::remove("blacklist");
}
</new_script>
No more val and changed the table to a set of addr.
The size for blacklist that gets printed out is 0, even though
blacklist.file looks like this:
<blacklist.file>
#fields ip
#types addr
192.168.17.1
192.168.27.2
192.168.250.3
</blacklist.file>
I expected print(|blacklist|) to print out 3.
I know I must be missing something simple. What am I missing? How should
I read in a single column table?
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/dcf39351/attachment.html
More information about the Bro
mailing list