[Bro] basic scripting questions...

Justin Azoff JAzoff at albany.edu
Thu Jul 3 11:33:18 PDT 2014


I think the simplest thing that can help is something like this:

event file_new(f:fa_file) {
    print f;
}

The documentation also has the structure info:

http://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-file_new
http://www.bro.org/sphinx/scripts/base/init-bare.bro.html#type-fa_file


-- 
-- Justin Azoff


On Thu, Jul 03, 2014 at 05:51:55PM +0000, Bill Stackpole wrote:
> 1 - how can I iterate thru the name/value pairs in any given bro event
> type?
> 
> For example, if I were to do the following:
> 
> *** begin script ***
> 	Event file_new(f:fa_file) {
> 		local finfo = f$info;
>   		local fuid = f$id;
> 		local fsource = f$source;
> 		local ftype = f$type;
> 
> 		local fname = f$name;
> 
> 	print fmt(³*** found %s in %s. saved as %s. FileID is %s. \n File info is
> %s.², ftype, fsource, fname, fuid, finfo);
> *** end script ***
> 
> The finfo variable contents would be displayed. (is this a complete list
> of the name/value pairs?)
> 
> I would like to do the same with "event file_hash² but cannot understand
> how to display a similar variable to that of ³info².
> 
> 2 - as an extension of the above enumeration question, how do I determine
> what elements in a given event are available for me to use for
> conditionals/structured programming/etc?
> 	
> 
> My first goal is to understand the variable types that are defined and be
> able to explain that to my students. Then we can move on to use them to
> create scripts to act on interesting things. Finally, I would like to
> explore machine learning with bro.
> 
> Thanks!
> Bill
> 
> Bill.stackpole at rit.edu



More information about the Bro mailing list