[Bro] basic scripting questions...
Justin Azoff
JAzoff at albany.edu
Thu Jul 3 11:33:18 PDT 2014
I think the simplest thing that can help is something like this:
event file_new(f:fa_file) {
print f;
}
The documentation also has the structure info:
http://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-file_new
http://www.bro.org/sphinx/scripts/base/init-bare.bro.html#type-fa_file
--
-- Justin Azoff
On Thu, Jul 03, 2014 at 05:51:55PM +0000, Bill Stackpole wrote:
> 1 - how can I iterate thru the name/value pairs in any given bro event
> type?
>
> For example, if I were to do the following:
>
> *** begin script ***
> Event file_new(f:fa_file) {
> local finfo = f$info;
> local fuid = f$id;
> local fsource = f$source;
> local ftype = f$type;
>
> local fname = f$name;
>
> print fmt(³*** found %s in %s. saved as %s. FileID is %s. \n File info is
> %s.², ftype, fsource, fname, fuid, finfo);
> *** end script ***
>
> The finfo variable contents would be displayed. (is this a complete list
> of the name/value pairs?)
>
> I would like to do the same with "event file_hash² but cannot understand
> how to display a similar variable to that of ³info².
>
> 2 - as an extension of the above enumeration question, how do I determine
> what elements in a given event are available for me to use for
> conditionals/structured programming/etc?
>
>
> My first goal is to understand the variable types that are defined and be
> able to explain that to my students. Then we can move on to use them to
> create scripts to act on interesting things. Finally, I would like to
> explore machine learning with bro.
>
> Thanks!
> Bill
>
> Bill.stackpole at rit.edu
More information about the Bro
mailing list