[Bro] Load Single Column Table with Input Framework
anthony kasza
anthony.kasza at gmail.com
Wed Nov 6 10:30:50 PST 2013
This is a bother when running Bro on trace files. Bro will finish
processing a trace before reading in an entire table. One hack is to build
the table in a separate file and @load it.
On Nov 6, 2013 10:23 AM, "Seth Hall" <seth at icir.org> wrote:
>
> On Nov 6, 2013, at 12:51 PM, Chris Crawford <
> christopher.p.crawford at gmail.com> wrote:
>
> > I expected print(|blacklist|) to print out 3.
> >
> > I know I must be missing something simple. What am I missing? How
> should I read in a single column table?
>
> The input framework is asynchronous. You are printing before that data
> has been loaded in. You could try waiting a moment (by scheduling an event
> perhaps) and checking again.
>
> event try_again()
> {
> print |blacklist|;
> }
>
> event bro_init()
> {
> Input::add_table([$source="blacklist.file", $name="blacklist",
> $idx=Idx, $destination=blacklist]);
> schedule 2secs { try_again() };
> Input::remove("blacklist");
> }
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131106/f13c9e52/attachment.html
More information about the Bro
mailing list