[Bro] bro script question.
Bryant, Thomas
Thomas.Bryant at parsons.com
Wed Jun 4 06:49:57 PDT 2014
All,
I've run a script against a pcap file:
----------------------------------------------------------------
module TstLog;
export {
redef enum Log::ID += { LOG };
type TstRec: record {
data: string &log;
};
}
event connection_established(c: connection) {
local str = fmt("Connection established: %s", c$id);
print fmt("%s\n", str); #TEST
# Log::write(TstRec::LOG, $data=str);
# Log::write(TstLog::LOG, [$data=mkString()]);
}
function mkString(): string {
return "This is a string.";
}
event bro_init() {
Log::create_stream(LOG, [$columns=TstRec]);
}
event bro_done() {
Log::write(TstLog::LOG, [$data=mkString()]);
}
---------------------------------------------------------------
with the following command:
bro tstLog.bro -r myPcapFile.pcap
As written, it works as expected. If I uncomment either of the two Log::write lines in event connection_established, It produces the following error:
1216691467.432370 fatal error in <no location>: Val::CONVERTER (string/record) (Connection established: [orig_h=192.168.1.64, orig_p=39153/tcp, resp_h=74.125.19.103, resp_p=443/tcp])
Note that an identical Log::write in bro_done produces no error.
Can someone explain what's going on here?
Thanks in advance!
Tom
More information about the Bro
mailing list