[Bro] Question about Controller Framework

Alexander Tsankov antsankov at gmail.com
Thu Feb 27 15:15:58 PST 2014 

Sounds great! I’m playing around with the global_ids() function, but I’m having the problem of getting too much information. My goal is to only identify global variables that are created in the script, but I am getting internal global variables that I never actually created. 

In my sample bro script I define: 
===========================
global hello: string “Hello World” 
===========================

But when I run the global_ids function I get records for other things listed below, but not limited to, KEEP_ORIG_ADDR, script_id, etc. My goal is to only print out the script-defined variables. In this case I only want the “hello” record to be printed. 

===========================
KEEP_ORIG_ADDR
[type_name=enum, exported=F, constant=F, enum_constant=T, redefinable=F, value=<uninitialized>]
script_id
[type_name=record, exported=F, constant=F, enum_constant=F, redefinable=F, value=<uninitialized>]
gtp_teid1
[type_name=count, exported=F, constant=F, enum_constant=F, redefinable=F, value=<uninitialized>]
hello
[type_name=string, exported=F, constant=F, enum_constant=F, redefinable=F, value=hello world]
===========================

I assume that there must be some table for this, otherwise BRO wouldn’t known when to spit back an error when you try to define the something twice.

===========================
global hello: string “Hello World” 
global hello: string “Hi"
===========================

Is there anything I can do about this information overload? 


Regards, 

Alex Tsankov

On Feb 26, 2014, at 8:55 AM, Siwek, Jonathan Luke <jsiwek at illinois.edu> wrote:

> 
> On Feb 25, 2014, at 5:47 PM, Alexander Tsankov <antsankov at gmail.com> wrote:
> 
>> 1) Is it possible for one BRO script (Script 1) to send a request to another BRO script(Script 2), possibly on the same device , and for Script 2 to return a list of all of its local/global variables without Script 1 having known about any of them? 
> 
> There is the global_ids() function [1] to discover globals and whether they’re “exported”, which might be what you want in terms of telling whether it’s a “local” variable — local usually refers to function scope within Bro which probably isn’t what you want.  The other two scopes are module (i.e. private to the modules namespace) and global (i.e. visible across module namespaces), which are determined by whether it’s exported
> 
> As far as sending the return value of global_ids() from one Bro instance to another, that should be possible — Bro instances commonly exchange events w/ one another, so it’s just a matter of defining an event to carry this information.
> 
>> 2) Is it possible for Script 1 to modify variables on script 2 on the fly? 
> 
> The send_id() function [2] may be one way to do that.
> 
> - Jon
> 
> [1] http://bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-global_ids
> [2] http://bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-send_id

More information about the Bro mailing list