[Bro] port field in file input

Aashish Sharma asharma at lbl.gov
Wed Jun 18 12:35:15 PDT 2014


You have to format the input file in this manner, eg: 

#fields exclude_ip     exclude_port   t       comment
1.2.3.4   25      tcp     mail


and define the input structs as :

type ipportexclude_Idx: record {
    exclude_ip: addr;
    exclude_port: port &type_column="t";
};

type ipportexclude_Val: record {
    exclude_ip: addr;
    exclude_port: port &type_column="t" ;
    comment: string &optional ;
} ;

Hope this helps, 
Aashish 


On Wed, Jun 18, 2014 at 06:20:59PM +0000, Michael Wenthold wrote:
> 
>    Is there anything that prevents me from loading data from a file with an idx
>    type "port"?
>    I'm trying to put the data in a file:
>    #fields tgt_port        tgt_subnet
>    #types  port    subnet
>    5222/tcp        [1]74.127.0.0/24
>    but when my script tries to load the file I get the following error:
>    Input::READER_ASCII:  Number '5222/tcp' contained non-numeric trailing
>    characters. Ignored trailing characters '/tcp'
>    The file reader table idx types are all set to type "port".  I know I can
>    just put all of the information in the script instead of offloading it to a
>    file, but I don't see anything that would prevent me from offloading the
>    information to a file.  I feel like I'm missing something really basic, but
>    I'm definitely missing something.
> 
> References
> 
>    1. http://74.127.0.0/24

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


-- 
Aashish Sharma	(asharma at lbl.gov) 				 
Cyber Security, 
Lawrence Berkeley National Laboratory  
http://go.lbl.gov/pgp-aashish 
Office: (510)-495-2680  Cell: (510)-612-7971



More information about the Bro mailing list