[Bro] How to use the table and queue in Bro

Qinwen Hu qhu009 at aucklanduni.ac.nz
Sat Mar 15 00:37:00 PDT 2014 

Hi All,

I am a new user for Bro. Recently, I try to use Bro to look at the reverse
lookup searching. Therefore, I would like to save all reverse lookup
packets into a queue or array based on the source address. When the next
income packet arrive, I will check the source address, if I have this
record, then I will compare the current packet with the previous reverse
lookup packets.

I find a example in /dns/main.bro that I can use the table and queue
together. So I have defined my table "checking" in the following structure.

type State: record {
        checking: table[addr] of Queue::Queue;
        finished_answers: set[count];
    };


I also modified bro/base/protocol/dns/main.bro and add my logic inside of
event dns request. I check the DNS query, if the query is reverse lookup
query, I will process the following logic

           if (c$id$orig_h !in c$dns_state$checking)
           {
               c$dns_state$checking[c$id$orig_h] = Queue::init();
           }

           if ( Queue::len(c$dns_state$checking[c$id$orig_h]) !=0)
           {
                local tmpString1 =
Queue::peek(c$dns_state$checking[c$id$orig_h]);
                local startIndex = 0;

                ### checking the search pattern

                if(|tmpString1|>|tmpString|)
                {
                    startIndex = strstr(tmpString,tmpString1);
                }
                else
                {
                     startIndex = strstr(tmpString1,tmpString);
                 }

              }
             Queue::put(c$dns_state$checking[c$id$orig_h], tmpString);



I have a problem in " if (c$id$orig_h !in c$dns_state$checking) ",  I find
for every new reverse lookup request , my code will initiated a new queue.
and the IF condition(  if (c$id$orig_h !in c$dns_state$checking)) hasn't
been applied for my code. because I have some packets from the same source
address.

So, I am confusing, because I have used the source address as a index for
the table, and for every income packet, I will check either I have the
source address in the table or not.

If you have any ideas, could you please let me know? Many thanks for your
time to read my Email.


Regards,

Steven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140315/711337a5/attachment.html

More information about the Bro mailing list