[Bro] port field in file input
Aashish Sharma
asharma at lbl.gov
Wed Jun 18 12:35:15 PDT 2014
You have to format the input file in this manner, eg:
#fields exclude_ip exclude_port t comment
1.2.3.4 25 tcp mail
and define the input structs as :
type ipportexclude_Idx: record {
exclude_ip: addr;
exclude_port: port &type_column="t";
};
type ipportexclude_Val: record {
exclude_ip: addr;
exclude_port: port &type_column="t" ;
comment: string &optional ;
} ;
Hope this helps,
Aashish
On Wed, Jun 18, 2014 at 06:20:59PM +0000, Michael Wenthold wrote:
>
> Is there anything that prevents me from loading data from a file with an idx
> type "port"?
> I'm trying to put the data in a file:
> #fields tgt_port       tgt_subnet
> #types port   subnet
> 5222/tcp       [1]74.127.0.0/24
> but when my script tries to load the file I get the following error:
> Input::READER_ASCII: Number '5222/tcp' contained non-numeric trailing
> characters. Ignored trailing characters '/tcp'
> The file reader table idx types are all set to type "port". I know I can
> just put all of the information in the script instead of offloading it to a
> file, but I don't see anything that would prevent me from offloading the
> information to a file. I feel like I'm missing something really basic, but
> I'm definitely missing something.
>
> References
>
> 1. http://74.127.0.0/24
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Aashish Sharma (asharma at lbl.gov)
Cyber Security,
Lawrence Berkeley National Laboratory
http://go.lbl.gov/pgp-aashish
Office: (510)-495-2680 Cell: (510)-612-7971
More information about the Bro
mailing list