[Bro] Load Single Column Table with Input Framework
Azoff, Justin
jazoff at albany.edu
Wed Nov 6 10:05:54 PST 2013
The table doesn't get loaded immediately. There is an "input file loaded" event you can print from, or for testing try using bro_done
Chris Crawford <christopher.p.crawford at gmail.com> wrote:
I'm following the tutorial on the input framework:
http://www.bro.org/sphinx/input.html
Everything works great. But, if my blacklist is only one column (i.e. I remove the other columns so that I'm only left with the "ip" column), I run into issues.
The docs for Input::add_table say that val is optional:
<quote>
val: any &optional
Record that defines the values used as the elements of the table If val is undefined, destination has to be a set.
</quote>
So, I fixed my script to look like this:
<new_script>
type Idx: record {
ip: addr;
};
global blacklist: set[addr];
event bro_init() {
Input::add_table([$source="blacklist.file", $name="blacklist", $idx=Idx, $destination=blacklist]);
print(|blacklist|);
Input::remove("blacklist");
}
</new_script>
No more val and changed the table to a set of addr.
The size for blacklist that gets printed out is 0, even though blacklist.file looks like this:
<blacklist.file>
#fields ip
#types addr
192.168.17.1
192.168.27.2
192.168.250.3
</blacklist.file>
I expected print(|blacklist|) to print out 3.
I know I must be missing something simple. What am I missing? How should I read in a single column table?
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/fce251f6/attachment.html
More information about the Bro
mailing list